Hi all. There has been larger changes than usual in CVS, so I thought I'd roll a release candidate before releasing 1.2.9. I'll release this during the next week if there are no problems. Please test:
http://josefsson.org/daily/gnutls/gnutls-20051028.tar.gz In particular, I want to know how this works on minw32, and whether the MD2/MD5 stuff works. Note: Don't use --with-builtin-crypto, it doesn't implement HMAC yet, so it doesn't even pass the self tests. Hopefully, I'll fix this before the release. I have tested this successfully on alphaev67-unknown-linux-gnu, i686-pc-linux-gnu, sparc-sun-solaris2.9, i386-unknown-freebsd4.11, and i386-pc-solaris2.9. NEWS entries below. Suggestions on the text is also appreciated. Thanks, Simon - Documentation was updated and improved. - MD2 is now supported. - Due to cryptographic advances, verifying untrusted X.509 certificates signed with RSA-MD2 or RSA-MD5 will now fail with a GNUTLS_CERT_INSECURE_ALGORITHM verification output. For applications that must remain interoperable, you can use the GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 flags when verifying certificates. Naturally, this is not recommended to be the default behaviour. For example, call gnutls_certificate_set_verify_flags with these flags to change the verification mode used by gnutls_certificate_verify_peers2. - Make it possible to send empty data through gnutls_record_send, to align with the send(2) API. - The (experimental) low-level crypto alternative to libgcrypt used earlier (Nettle) has been replaced with crypto code from gnulib. This leads to easier re-use of these components in other projects, leading to more review and simpler maintenance. The new configure parameter --with-builtin-crypto replace the old --with-nettle, and must be used if you wish to enable this functionality. See README under "Experimental" for more information. Internally, GnuTLS has been updated to use the new "Generic Crypto" API in gl/gc.h. The API is similar to the old crypto/gc.h, because the gnulib code were based on GnuTLS's gc.h. - Fix compiler warning in the "anonself" self test. - API and ABI modifications: gnutls_x509_crt_list_verify: Added 'const' to prototype in <gnutls/x509.h>. This doesn't reflect a change in behaviour, so we don't break backwards compatibility. GNUTLS_MAC_MD2: New gnutls_mac_algorithm_t value. GNUTLS_DIG_MD2: New gnutls_digest_algorithm_t value. GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: New gnutls_certificate_verify_flags values. Use when calling gnutls_x509_crt_list_verify, gnutls_x509_crt_verify, or gnutls_certificate_set_verify_flags. GNUTLS_CERT_INSECURE_ALGORITHM: New gnutls_certificate_status_t value, used when broken signature algorithms is used (currently RSA-MD2/MD5). _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
