[gnutls-devel] gnutls 3.6.1

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Oct 21 09:51:47 CEST 2017

 I've just released gnutls 3.6.1. This is a bug fix release for
the 3.6.x branch. The releases on this branch will continue on a
bi-monthly period.

* Version 3.6.1 (released 2017-10-21)

** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
   used. Resolves gitlab issue #259.

** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
   gnutls_x509_crq_sign, were modified to sign with a better algorithm than
   SHA1. They will now sign with an algorithm that corresponds to the security
   level of the signer's key.

** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
   accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
   the function to auto-detect an appropriate hash algorithm to use.

** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
   TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
   in TLS 1.2. As such, no reason to keep supporting it.

** libgnutls: Refuse to use client certificates containing disallowed
   algorithms for a session. That reverts a change on 3.5.5, which allowed
   a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
   to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
   The previous approach was to allow a smooth move for client infrastructure
   after the DSA algorithm became disabled by default, and is no longer necessary
   as DSA is now being universally depracated.

** libgnutls: Refuse to resume a session which had a different SNI advertised. That
   improves RFC6066 support in server side. Reported by Thomas Klute.

** p11tool: Mark all generated objects as sensitive by default.

** p11tool: added options --sign-params and --hash. This allows testing
   signature with multiple algorithms, including RSA-PSS.

** API and ABI modifications:
No changes since last version.

Getting the Software

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:


Here are OpenPGP detached signatures signed using key 0x96865171:


Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]


More information about the Gnutls-devel mailing list