GnuTLS 2.3.1

Simon Josefsson simon at
Thu Feb 21 12:42:30 CET 2008

The GnuTLS 2.3.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

I tried to make sure there are no ABI/ABI modifications/deletions in
this compared to v2.2.x, but as the changes have been quite large, I may
have missed something.  Note that we don't guarantee ABI compatibility
during development releases, so if there are ABI breaks in this release,
we'll consider those bugs and revert them, rather than bumping the ABI.

Also, we need to figure out how opencdk is going to be included -- right
now there is no non-gnutls opencdk under LGPL, but we need one.  There
is only the opencdk included in this release.

While releasing this, I noticed that the openpgpself test fails... but
that can wait for the next release.

News in this release:

* Version 2.3.1 (released 2008-02-21)

** OpenPGP support merged into libgnutls and is now licensed under LGPL.
The included copy of OpenCDK has been stripped down and re-licensed
under the LGPL.

** Cipher priority string handling now handle strings that starts with NULL.
Thanks to Laurence Withers <l at>.

** gnutls-cli: When -d is used, also prints RNG information from libgcrypt.

** Corrected memory leaks in session resuming and DHE ciphersuites. Reported
by Daniel Stenberg.

** Increased the default certificate verification chain limits and allowed
for checks without limitation.

** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name()
and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary
strings and return the proper size.

** Add section 'On Record Padding' to the manual.
This collects all problems related to record padding with
Nokia/Sony-Ericsson phones that we know about.

** Several improvements in the OpenPGP authentication.
Now subkeys can be used for authentication, according to

** certtool can print information on OpenPGP certificates and keys.

** Added gnutls_x509_dn_import/init/deinit() to access raw DER DN.
Patch by Joe Orton.

** Added gnutls_certificate_export_x509_cas and other functions to
export elements from the certificate credentials structure.  Based on
suggestion from Joe Orton.

** Doc fixes.
Clarify that srp_base64 is not the same as normal base64.

** Fix non-portable use of brace expansion in makefiles.

** API and ABI modifications:
gnutls_certificate_export_x509_cas: ADDED
gnutls_certificate_export_x509_crls: ADDED
gnutls_certificate_export_openpgp_keyring: ADDED
gnutls_openpgp_keyid_t: ADDED, instead of hard-coded 'unsigned char[8]'.
gnutls_openpgp_crt_get_key_id: ADDED, obsoletes gnutls_openpgp_crt_get_id.
gnutls_openpgp_crt_get_revoked_status: ADDED
gnutls_openpgp_crt_get_subkey_count: ADDED
gnutls_openpgp_crt_get_subkey_idx: ADDED
gnutls_openpgp_crt_get_subkey_revoked_status: ADDED
gnutls_openpgp_crt_get_subkey_pk_algorithm: ADDED
gnutls_openpgp_crt_get_subkey_creation_time: ADDED
gnutls_openpgp_crt_get_subkey_expiration_time: ADDED
gnutls_openpgp_crt_get_subkey_id: ADDED
gnutls_openpgp_crt_get_subkey_usage: ADDED
gnutls_openpgp_privkey_get_fingerprint: ADDED
gnutls_openpgp_privkey_get_key_id: ADDED
gnutls_openpgp_privkey_get_subkey_count: ADDED
gnutls_openpgp_privkey_get_subkey_idx: ADDED
gnutls_openpgp_privkey_get_subkey_revoked_status: ADDED
gnutls_openpgp_privkey_get_revoked_status: ADDED
gnutls_openpgp_privkey_get_subkey_pk_algorithm: ADDED
gnutls_openpgp_privkey_get_subkey_expiration_time: ADDED
gnutls_openpgp_privkey_get_subkey_id: ADDED
gnutls_openpgp_privkey_get_subkey_creation_time: ADDED
gnutls_openpgp_crt_get_subkey_pk_dsa_raw: ADDED
gnutls_openpgp_crt_get_subkey_pk_rsa_raw: ADDED
gnutls_openpgp_crt_get_pk_dsa_raw: ADDED
gnutls_openpgp_crt_get_pk_rsa_raw: ADDED
gnutls_openpgp_privkey_export_subkey_dsa_raw: ADDED
gnutls_openpgp_privkey_export_subkey_rsa_raw: ADDED
gnutls_openpgp_privkey_export_dsa_raw: ADDED
gnutls_openpgp_privkey_export_rsa_raw: ADDED
gnutls_openpgp_privkey_export: ADDED
gnutls_certificate_set_openpgp_key_file2: ADDED
gnutls_certificate_set_openpgp_key_mem2: ADDED
gnutls_x509_dn_init: ADDED
gnutls_x509_dn_import: ADDED
gnutls_x509_dn_deinit: ADDED
gnutls_hex2bin: ADDED
                                old GNUTLS_X509_CRT_UNSIGNED_FULL.

The goals for the 2.3.x branch are tracked at:

More ideas are welcome, just create a new ticket.

Here are the compressed sources:

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See for more details.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20080221/fd396808/attachment.pgp>

More information about the Gnutls-devel mailing list