[gnutls-dev] Experimental: GnuTLS 1.3.1

Simon Josefsson jas at extundo.com
Thu Dec 8 21:01:27 CET 2005

We are pleased to announce the availability of GnuTLS version 1.3.1,
the second release on the experimental 1.3.x branch.

The goal of 1.3.x will be to merge work currently done on CVS
branches, for TLS Pre-Shared-Keys and TLS Inner Application.  Other
planned improvements in 1.3.x are system-independent resume data
structures, modularization of the bignum operations, and TLS OpenPGP
improvements.  So far, TLS-PSK and system-independent resume data has
been implemented.

GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development

If you need help to use GnuTLS, or want to help others, you are
invited to join our help-gnutls mailing list, see:

The project page of the library is available at:
  http://josefsson.org/gnutls/ (updated fastest)

Here are the compressed sources:
  http://josefsson.org/gnutls/releases/gnutls-1.3.1.tar.gz (3.0MB)
  ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.3.1.tar.bz2 (3.0MB)

Here are GPG detached signatures signed using key 0xB565716F:

The software is cryptographically signed by the author using an
OpenPGP key identified by the following information:
  1280R/B565716F 2002-05-05 [expires: 2006-02-28]
  Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F

The key is available from:

Here are the build reports for various platforms:

Here are the SHA-1 checksums:

80eb527cf981344778d0dd6cb2ed25f379d8785c  gnutls-1.3.1.tar.bz2
5b260e5d3594a8cf8ea79376bd97775a5f566920  gnutls-1.3.1.tar.bz2.sig

Nikos and Simon

Noteworthy changes since version 1.3.0:

** Support for DHE-PSK cipher suites has been added.
This method offers perfect forward secrecy.

** Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to
Otto Maddox <ottomaddox at fastmail.fm> and Nozomu Ando <nand at mac.com>.

** Corrected a bug in certtool for 64 bit machines. Reported
by Max Kellermann <max at duempel.org>.

** New function to set a X.509 private key and certificate pairs, and/or
CRLs, from an PKCS#12 file, suggested by Emile van Bergen
<emile at e-advies.nl>.

The integrity of the PKCS#12 file is protected through a password
based MAC; public-key based signatures for integrity protection are
not supported.  PKCS#12 bags may be encrypted using password derived
symmetric keys, public-key based encryption is not supported.  The
PKCS#8 keys may be encrypted using passwords.  The API use the same
password for all operations.  We believe that any more flexibility
create too much complexity that would hurt overall security, but may
add more PKCS#12 related APIs if real-world experience indicate

** gnutls_x509_privkey_import_pkcs8 now accept unencrypted PEM PKCS#8 keys,
reported by Emile van Bergen <emile at e-advies.nl>.
This will enable "certtool -k -8" to parse those keys.

** Certtool now generate keys in unencrypted PKCS#8 format for empty passwords.
Use "certtool -p -8" and press press enter at the prompt.  Earlier,
certtool would have encrypted the key using an empty password.

** Certtool now accept --password for --key-info and encrypted PKCS#8 keys.
Earlier it would have prompted the user for it, even if --password was

** Added self test of PKCS#8 parsing.
Unencrypted and encrypted (pbeWithSHAAnd3-KeyTripleDES-CBC and
pbeWithSHAAnd40BitRC2-CBC) formats are tested.  The test is in

** API and ABI modifications:
New function to set X.509 credentials from a PKCS#12 file:

New gnutls_kx_algorithm_t enum type:

New API to return session data (better data types than

New API to set PSK Diffie-Hellman parameters:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 423 bytes
Desc: not available
URL: </pipermail/attachments/20051208/8d0f2b3c/attachment.pgp>

More information about the Gnutls-devel mailing list