[gnutls-dev] GnuTLS 1.2.9

Simon Josefsson jas at extundo.com
Mon Nov 7 22:34:46 CET 2005 

We are pleased to announce the availability of GnuTLS version 1.2.8.

GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.

This is the last non-bugfix release in the 1.2.x series.  We will open
the 1.3.x branch after this release.  The goal of 1.3.x will be to
merge work currently done on CVS branches, for TLS Pre-Shared-Keys and
TLS Inner Application.  Other planned improvements in 1.3.x are
system-independent resume data structures, modularization of the
bignum operations, and TLS OpenPGP improvements.

This release disable the RSA-MD5 algorithm when verifying untrusted
intermediary X.509 CA certificates.  This decision was made based on
the results in Lenstra, Wang and Weger's "Colliding X.509
Certificates".  This is discussed in more detail, including
instructions on how to re-enable the algorithm for application's that
need backwards compatibility, in:
http://josefsson.org/gnutls/manual/html_node/Digital-signatures.html

Noteworthy changes since version 1.2.8:
- Documentation was updated and improved.
- RSA-MD2 is now supported for verifying digital signatures.
- Due to cryptographic advances, verifying untrusted X.509
  certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
  GNUTLS_CERT_INSECURE_ALGORITHM verification output.  For
  applications that must remain interoperable, you can use the
  GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
  flags when verifying certificates.  Naturally, this is not
  recommended default behaviour for applications.  To enable the
  broken algorithms, call gnutls_certificate_set_verify_flags with the
  proper flag, to change the verification mode used by
  gnutls_certificate_verify_peers2.
- Make it possible to send empty data through gnutls_record_send,
  to align with the send(2) API.
- Some changes in the certificate receiving part of handshake to prevent
  some possible errors with non-blocking servers.
- Added numeric version symbols to permit simple CPP-based feature
  tests, suggested by Daniel Stenberg <daniel at haxx.se>.
- The (experimental) low-level crypto alternative to libgcrypt used
  earlier (Nettle) has been replaced with crypto code from gnulib.
  This leads to easier re-use of these components in other projects,
  leading to more review and simpler maintenance.  The new configure
  parameter --with-builtin-crypto replace the old --with-nettle, and
  must be used if you wish to enable this functionality.  See README
  under "Experimental" for more information.  Internally, GnuTLS has
  been updated to use the new "Generic Crypto" API in gl/gc.h.  The
  API is similar to the old crypto/gc.h, because the gnulib code were
  based on GnuTLS's gc.h.
- Fix compiler warning in the "anonself" self test.
- API and ABI modifications:
gnutls_x509_crt_list_verify: Added 'const' to prototype in <gnutls/x509.h>.
                             This doesn't reflect a change in behaviour,
                             so we don't break backwards compatibility.
GNUTLS_MAC_MD2: New gnutls_mac_algorithm_t value.
GNUTLS_DIG_MD2: New gnutls_digest_algorithm_t value.
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: New gnutls_certificate_verify_flags values.
                                  Use when calling
                                  gnutls_x509_crt_list_verify,
                                  gnutls_x509_crt_verify, or
                                  gnutls_certificate_set_verify_flags.
GNUTLS_CERT_INSECURE_ALGORITHM: New gnutls_certificate_status_t value,
                                used when broken signature algorithms
                                is used (currently RSA-MD2/MD5).
LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR,
LIBGNUTLS_VERSION_PATCH,
LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS
			  version number, can be used for feature existence
			  tests.

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.

If you need help to use GnuTLS, or want to help others, you are
invited to join our help-gnutls mailing list, see:
<http://lists.gnu.org/mailman/listinfo/help-gnutls>.

The project page of the library is available at:
  http://www.gnutls.org/
  http://www.gnu.org/software/gnutls/
  http://josefsson.org/gnutls/ (updated fastest)

Here are the compressed sources:
  http://josefsson.org/gnutls/releases/gnutls-1.2.9.tar.bz2 (2.7MB)
  ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.2.9.tar.bz2 (2.7MB)

Here are GPG detached signatures signed using key 0xB565716F:
  http://josefsson.org/gnutls/releases/gnutls-1.2.9.tar.bz2.sig
  ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.2.9.tar.bz2.sig

The software is cryptographically signed by the author using an
OpenPGP key identified by the following information:
  1280R/B565716F 2002-05-05 [expires: 2006-02-28]
  Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Here are the build reports for various platforms:
  http://josefsson.org/autobuild-logs/gnutls.html

Here are the SHA-1 checksums:

7229d094de83cabd572fcaab806ab3afc6b58959  gnutls-1.2.9.tar.bz2
fae5d7a5d84935406ba3ed6e2804a18cede6fcf1  gnutls-1.2.9.tar.bz2.sig

Enjoy,
Nikos and Simon

More information about the Gnutls-devel mailing list