GnuTLS 2.9.8

Simon Josefsson simon at
Thu Nov 5 17:40:10 CET 2009

The GnuTLS 2.9.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

Here are the compressed sources (6.0MB):

Here is the OpenPGP signature:

Windows build:

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See for more details.


* Version 2.9.8 (released 2009-11-05)

** libgnutls: Fix for memory leaks on interrupted handshake.
Reported by Tang Tong.

** libgnutls: Addition of support for TLS 1.2 signature algorithms
** extension and certificate verify field.
This requires changes for TLS 1.2 servers and clients that use
callbacks for certificate retrieval.  They are now required to check
with gnutls_sign_algorithm_get_requested() whether the certificate
they send complies with the peer's preferences in signature

** libgnutls: In server side when resuming a session do not overwrite the 
** initial session data with the resumed session data.

** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8
** encryption.
This affects also PKCS #12 encoded files.  This adds the following new

** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.".  Problem
introduced for the v2.8.x branch in 2.7.6.

** certtool: Added the --pkcs-cipher option.
To explicitely specify the encryption algorithm to use.

** tests: Added "pkcs12_encode" self-test to check PKCS#12 functions.

** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler at> in

** tests: Fix expired cert in chainverify self-test.

** i18n: Vietnamese translation updated.
Thanks to Clytie Siddall.

** API and ABI modifications:
GNUTLS_CIPHER_AES_192_CBC: ADDED to gnutls/gnutls.h.
GNUTLS_PKCS_USE_PBES2_AES_128: ADDED to gnutls/x509.h.
GNUTLS_PKCS_USE_PBES2_AES_192: ADDED to gnutls/x509.h.
GNUTLS_PKCS_USE_PBES2_AES_256: ADDED to gnutls/x509.h.
GNUTLS_BAG_SECRET: ADDED to gnutls/pkcs12.h.
GNUTLS_DIG_UNKNOWN: ADDED to gnutls/gnutls.h.
gnutls_sign_algorithm_get_requested: ADDED.

I appear to have forgotten to announce 2.9.7, so I'm including the NEWS
entries for it too:

* Version 2.9.7 (released 2009-10-06)

** libgnutls: TLS 1.2 server mode fixes.
Now interoperates against Opera.  Contributed by Daiki Ueno.

** libgnutlsxx: Fix link problems.
Tiny patch from Boyan Kasarov <bkasarov at>.

** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes at>.

** API and ABI modifications:
No changes since last version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 420 bytes
Desc: not available
URL: </pipermail/attachments/20091105/fcae8237/attachment.pgp>

More information about the Gnutls-devel mailing list