[gnutls-devel] gnutls 3.5.6

Daniel P. Berrange berrange at redhat.com
Fri Nov 11 11:07:30 CET 2016

On Fri, Nov 04, 2016 at 08:28:02AM +0100, Nikos Mavrogiannopoulos wrote:
> Hello, 
>  I've just released gnutls 3.5.6. This is an enhancements and
> bugfix release for the 3.5.x branch.
> * Version 3.5.6 (released 2016-11-04)
> ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
>    (pre-rfc5652) structures with arbitrary encapsulated content.
> ** libgnutls: Introduced a function group to set known DH parameters
>    using groups from RFC7919.
> ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
>    Now the generated textual DN is in reverse order according to RFC4514,
>    and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
>    set the expected DN (reverse of the provided string).

IIUC, this is responsible for a change in behaviour seen by libvirt.
Previously the client cert DN would get reported as


and with new version we're getting back


This is causing a regression for libvirt. The libvirt server has ablity
to set a whitelist against the DN string, against which we do a regex

eg the sysadmin may have defined a whitelist of


to allow all certs issed to libvirt clients.

This change in DN ordering by gnutls breaks any existing whitelists
our admins have setup, as well as breaking the libvirt test suite
which validates this.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the Gnutls-devel mailing list