GnuTLS 2.7.8

Simon Josefsson simon at
Sun May 3 21:41:55 CEST 2009

The GnuTLS 2.7.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

Here are the compressed sources: (5.8MB)

Here is the OpenPGP signature:

Known open issues holding back the next stable release:

 * Make gnutls-cli/gnutls-serv work under Windows again
 * Resolve how to treat the partial TLS 1.2 implementation
 * Fix the API man page for priority strings
 * Confirm that Cedric BAIL's copyright assignment has arrived with the FSF

The earlier plan to release on April 1th didn't work out, but I'm going
to try work through these issues again now.  If you want to see anything
else done in the next stable release, now is the time to speak!

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See for more details.


* Version 2.7.8 (released 2009-05-03)

** libgnutls: Fix DSA key generation.
Merged from stable branch.  [GNUTLS-SA-2009-2] [CVE-2009-1416]

** libgnutls: Check expiration/activation time on untrusted certificates.
Merged from stable branch.  Reported by Romain Francoise
<romain at>.  This changes the semantics of
gnutls_x509_crt_list_verify, which in turn is used by
gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2.
We add two new gnutls_certificate_status_t codes for reporting the new
We also add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.  [GNUTLS-SA-2009-3] [CVE-2009-1417]

** lib: Linker version scripts reduces number of exported symbols.
The linker version script now lists all exported ABIs explicitly, to
avoid accidentally exporting unintended functions.  Compared to
before, most symbols beginning with _gnutls* are no longer exported.
These functions have never been intended for use by applications, and
there were no prototypes for these function in the public header
files.  Thus we believe it is possible to do this without incrementing
the library ABI version which normally has to be done when removing an

** lib: Limit exported symbols on systems without LD linker scripts.
Before all symbols were exported.  Now we limit the exported symbols
to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
_gnutls*.  This is a superset of the actual supported ABI, but still
an improvement compared to before.  This is implemented using Libtool
-export-symbols-regex.  It is more portable than linker version

** libgnutls: Incremented CURRENT/AGE libtool version to reflect new symbols.
This should have been done in the last release.

** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
Reported by Peter Hendrickson <pdh at> in

** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use.  In particular, libgnutls moved from the
'GNU Libraries' section to the 'Software libraries' and the command
line tools moved from 'Network Applications' to 'System

** API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090503/92ca09a7/attachment.pgp>

More information about the Gnutls-devel mailing list