Hello, I've just released gnutls 2.12.24. This is an update on the long-time deprecated 2.12.x branch. It fixes several interoperatibility issues present at this branch, removes support for legacy protocols and ciphersuites, and improves TLS 1.2 support.
The update on this branch does not put 2.12.x into the maintained branches but it is rather a one-time update (sponsored by Red Hat) to extend the lifetime of systems which cannot upgrade to newer supported releases due to the ABI breakage. There are no other planned updates. Version 2.12.24 (released 2016-11-04) ** libgnutls: Fix in TLS server hello parsing (GNUTLS-SA-2014-3) ** libgnutls: Fix in TLS record decoding (GNUTLS-SA-2013-2) ** libgnutls: Fix in certificate verification (GNUTLS-SA-2014-1, GNUTLS-SA-2014-2, GNUTLS-SA-2015-1) ** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by Karthikeyan Bhargavan (GNUTLS-SA-2015-2). ** libgnutls: Separated the logic of supported signature algorithms for CertificateRequest message and ClientHello. This allows the former be restricted to SHA1 and SHA256 due to internal limitations, while the latter can utilize any supported algorithms. ** libgnutls: Be less strict in TLS 1.2 signature algorithm adherence. This improves compatibility with sites that have a certificate with an enabled hash algorithm but necessarily enabled for TLS negotiation. ** libgnutls: No longer set SSL 3.0 as the record layer version by default This improves interoperability against broken servers which assume that this version is supported by the client. ** libgnutls: No longer include SSL 3.0 to the default protocol list. SSL 3.0 it must be explicitly enabled using a priority string. ** libgnutls: Prohibit DSA2 signatures when used with the libgcrypt backend. There are interoperability issues, and these algorithms are too rare to require a proper fix. ** libgnutls: The minimum Diffie-Hellman bits size was raised to 1023 from 768. ** libgnutls: Removed support for EXPORT ciphersuites. The EXPORT priority string becomes an alias to NORMAL. ** libgnutls: Disabled random padding in the TLS protocol to improve compatibility with various broken servers. ** libgnutls: the ARCFOUR-128 cipher was removed from the default priority lists. ** libgnutls: Do not call the post client hello callback twice when resuming using session tickets. ** libgnutls: Corrected the setting of PSK hint for DHE-PSK ciphersuites. ** libgnutls: Do not link with libpthread unless necessary. ** libgnutls: Introduced the priority strings KX-ALL, VERS-ALL, CURVE-ALL (no-op) to improve compatibility with later versions of gnutls. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from <ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be found at <http://www.gnutls.org/download.html>. Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v2.12/gnutls-2.12.24.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v2.12/gnutls-2.12.24.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org> uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at> gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
