GnuTLS 2.9.10 - first release candidate for 2.10.0

Simon Josefsson simon at josefsson.org
Thu Apr 22 00:58:43 CEST 2010


The GnuTLS 2.9.x branch is NOT what you want for your stable system.  It
is intended for developers and experienced users.

It has been several months since the last development release, far too
long...

I finally managed to build git master on my machine and cross-compiled
it to Windows so it seemed like a good time to make this release.

We want to start the process of getting this development cycle out into
a stable 2.10.0 branch, so let's consider this the first release
candidate.  This release will likely be a bit rough considering the many
changes, but even more reason to start testing it!

Things on my radar before we can release 2.10.0:
- Write release notes, explaining the TLS renegotiation stuff
- Make sure self-tests passes on Solaris and Mac OS X too
- Check that TLS renegotiation behaviour is what we want it to be
- Do more code review (I've not had time to do this myself lately)
- Sanity check by installing it as the system GnuTLS on a GNU/Linux
  system and make sure normal things still appear to work

Here are the compressed sources (6.4MB):
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.10.tar.bz2
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.10.tar.bz2

Here is the OpenPGP signature:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.10.tar.bz2.sig
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.10.tar.bz2.sig

Windows build:
  http://josefsson.org/gnutls4win/gnutls-2.9.10.exe
  http://josefsson.org/gnutls4win/gnutls-2.9.10.exe.sig
  http://josefsson.org/gnutls4win/gnutls-2.9.10.zip
  http://josefsson.org/gnutls4win/gnutls-2.9.10.zip.sig
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.9.10-1_all.deb

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.  You
can contribute by reporting bugs, improve the software, or donate money
or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

/Simon

* Version 2.9.10 (released 2010-04-22)

** libgnutls: Time verification extended to trusted certificate list.
Unless new constant GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS flag is
specified.

** certtool: Display postalCode and Name X.509 DN attributes correctly.
Based on patch by Pavan Konjarla.  Adds new constant
GNUTLS_OID_X520_POSTALCODE and GNUTLS_OID_X520_NAME.

** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746)
Solves the issue discussed in:
<http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and
<http://www.ietf.org/mail-archive/web/tls/current/msg03948.html>.
Note that to allow connecting to unpatched servers the full protection
is only enabled if the priority string %SAFE_RENEGOTIATION is
specified. You can check whether protection is in place by querying
gnutls_safe_renegotiation_status().  New error codes
GNUTLS_E_SAFE_RENEGOTIATION_FAILED and
GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added.

** libgnutls: When checking openpgp self signature also check the signatures
** of all subkeys.
Ilari Liusvaara noticed and reported the issue and provided test
vectors as well.

** libgnutls: Added cryptodev support (/dev/crypto).
Tested with http://www.logix.cz/michal/devel/cryptodev/.  Added
benchmark utility for AES.  Adds new error codes
GNUTLS_E_CRYPTODEV_IOCTL_ERROR and GNUTLS_E_CRYPTODEV_DEVICE_ERROR.

** libgnutls: Exported API to access encryption and hash algorithms.
The new API functions are gnutls_cipher_decrypt, gnutls_cipher_deinit,
gnutls_cipher_encrypt, gnutls_cipher_get_block_size,
gnutls_cipher_init, gnutls_hash, gnutls_hash_deinit, gnutls_hash_fast,
gnutls_hash_get_len, gnutls_hash_init, gnutls_hash_output,
gnutls_hmac, gnutls_hmac_deinit, gnutls_hmac_fast,
gnutls_hmac_get_len, gnutls_hmac_init, gnutls_hmac_output.  New API
constants are GNUTLS_MAC_SHA224 and GNUTLS_DIG_SHA224.

** libgnutls: Added gnutls_certificate_set_verify_function() to allow
verification of certificate upon receipt rather than waiting until the
end of the handshake.

** libgnutls: Don't send alerts during handshake.
Instead new error code GNUTLS_E_UNKNOWN_SRP_USERNAME is added.

** certtool: Corrected two issues that affected certificate request generation.
(1) Null padding is added on integers (found thanks to Wilankar Trupti),
(2) In optional SignatureAlgorithm parameters field for DSA keys the DSA
parameters were added. Those were rejected by Verisign. Gnutls no longer adds 
those parameters there since other implementations don't do either and having 
them does not seem to offer anything (anyway you need the signer's certificate
to verify thus public key will be available). Found thanks to Boyan Kasarov.
This however has the side-effect that public key IDs shown by certtool are
now different than previous gnutls releases.
(3) the option --pgp-certificate-info will verify self signatures

** certtool: Allow exporting of Certificate requests on DER format.

** certtool: New option --no-crq-extensions to avoid extensions in CSRs.

** gnutls-cli: Handle reading binary data from server.
Reported by and tiny patch from Vitaly Mayatskikh
<v.mayatskih at gmail.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4096>.

** minitasn1: Upgraded to libtasn1 version 2.6.

** i18n: Updated Czech, Dutch, French, Polish, Swedish translation.
** Added Italian and Simplified Chinese translation.
Thanks to Petr Pisar, Erwin Poeze, Nicolas Provost, Jakub Bogusz,
Daniel Nylander, Sergio Zanchetta, Tao Wei, and Aron Xu.

** doc: The GTK-DOC manual is significantly improved.

** API and ABI modifications:
%DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use).
%INITIAL_SAFE_RENEGOTIATION: Added to priority strings.
%UNSAFE_RENEGOTIATION: Added to priority strings.
GNUTLS_DIG_SHA224: ADDED.
GNUTLS_E_CRYPTODEV_DEVICE_ERROR: ADDED.
GNUTLS_E_CRYPTODEV_IOCTL_ERROR: ADDED.
GNUTLS_E_SAFE_RENEGOTIATION_FAILED: ADDED.
GNUTLS_E_UNKNOWN_SRP_USERNAME: ADDED.
GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: ADDED.
GNUTLS_MAC_SHA224: ADDED.
GNUTLS_OID_X520_NAME: ADDED.
GNUTLS_OID_X520_POSTALCODE: ADDED.
GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: ADDED.
GNUTLS_VERSION_MAX: ADDED.
gnutls_certificate_set_verify_function: ADDED.
gnutls_cipher_decrypt: ADDED.
gnutls_cipher_deinit: ADDED.
gnutls_cipher_encrypt: ADDED.
gnutls_cipher_get_block_size: ADDED.
gnutls_cipher_init: ADDED.
gnutls_hash: ADDED.
gnutls_hash_deinit: ADDED.
gnutls_hash_fast: ADDED.
gnutls_hash_get_len: ADDED.
gnutls_hash_init: ADDED.
gnutls_hash_output: ADDED.
gnutls_hmac: ADDED.
gnutls_hmac_deinit: ADDED.
gnutls_hmac_fast: ADDED.
gnutls_hmac_get_len: ADDED.
gnutls_hmac_init: ADDED.
gnutls_hmac_output: ADDED.
gnutls_safe_negotiation_set_initial: ADDED.
gnutls_safe_renegotiation_set: ADDED.
gnutls_safe_renegotiation_status: ADDED.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 420 bytes
Desc: not available
URL: </pipermail/attachments/20100422/fa08efa8/attachment.pgp>


More information about the Gnutls-devel mailing list