[gnutls-help] gnutls 3.7.5

Fri, 13 May 2022 00:14:27 -0700 

Hello,
We have just released gnutls-3.7.5. This is a bug fix and enhancement release on the 3.7.x branch. 

We would like to thank everyone who contributed in this release:

Tim Kosse, Tatsuhiro Tsujikawa, Brian Wickman, František Krenželok, 
Andreas Metzler,
Benjamin Herrenschmidt, Pedro Monreal, Tobias Heider, Sam James, Daiki 
Ueno and Zoltan Fridrich


The detailed list of changes follows:

* Version 3.7.5 (released 2022-05-15)


** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 
priority
    modifier have been added to disable session ticket usage in TLS 1.2 
because
    it does not provide forward secrecy (#477). On the other hand, 
since session
    tickets in TLS 1.3 do provide forward secrecy, the PFS priority 
string now
    only disables session tickets in TLS 1.2. Future backward 
incompatibility:

    in the next major release of GnuTLS, we plan to remove those flag and

    modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect 
TLS 1.2.


** gnutls-cli, gnutls-serv: Channel binding for printing information
    has been changed from tls-unique to tls-exporter as tls-unique is
    not supported in TLS 1.3.

** libgnutls: Certificate sanity checks has been enhanced to make
    gnutls more RFC 5280 compliant (!1583).
    Following changes were included:
- critical extensions are parsed when loading x509
      certificate to prohibit any random octet strings.
      Requires strict-x509 configure option to be enabled
    - garbage bits in Key Usage extension are prohibited
- empty DirectoryStrings in Distinguished name structures
      of Issuer and Subject name are prohibited

** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
    According to the section 2 of SP800-131A Rev.2, 3DES algorithm
    will be disallowed for encryption after December 31, 2023:
    https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final

** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312).
    The existing AEAD API that works in a scatter-gather fashion

    (gnutls_aead_cipher_encryptv2) has been extended to support 
AES-SIV-CMAC.
    For further optimization, new function (gnutls_aead_cipher_set_key) 
has been

    added to set key on the existing AEAD handle without re-allocation.

** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
    when used in TLS (#1311).

** The configure arguments for Brotli and Zstandard (zstd) support
    have changed to reflect the previous help text: they are now
    --with-brotli/--with-zstd respectively (#1342).

** Detecting the Zstandard (zstd) library in configure has been
    fixed (#1343).

** API and ABI modifications:
GNUTLS_NO_TICKETS_TLS12: New flag
gnutls_aead_cipher_set_key: New function

Getting the Software
================

GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/ <https://www.gnupg.org/ftp/gcrypt/>
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html <http://www.gnutls.org/download.html>

Here are the XZ compressed sources:

https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz 
<https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz>


Here are OpenPGP detached signatures signed using keys:
5D46CB0F763405A7053556F47A75A648B3F9220C
and
462225C3B46F34879FC8496CD605848ED7E69871

https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz.sig 
<https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz.sig>


Note that it has been signed with my openpgp key:
pub   ed25519 2021-12-23 [SC] [expires: 2023-12-23]
      5D46CB0F763405A7053556F47A75A648B3F9220C
uid           [ultimate] Zoltan Fridrich <[email protected]>
sub   cv25519 2021-12-23 [E] [expires: 2023-12-23]

and Daiki Uenos openpgp key:
pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25]
      462225C3B46F34879FC8496CD605848ED7E69871

uid           [ultimate] Daiki Ueno <ueno at unixuser.org 
<http://lists.gnupg.org/mailman/listinfo/gnutls-help>>
uid           [ultimate] Daiki Ueno <ueno at gnu.org 
<http://lists.gnupg.org/mailman/listinfo/gnutls-help>>

sub rsa4096 2010-02-04 [E]

Regards,
Zoltan



Attachment:
OpenPGP_0x7A75A648B3F9220C.asc

Description: OpenPGP public key



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help














    











					Reply via email to