From nmav at gnutls.org Fri Feb 16 08:37:26 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 16 Feb 2018 08:37:26 +0100 Subject: [gnutls-devel] gnutls 3.3.29 Message-ID: <1518766646.18151.1.camel@gnutls.org> Hello,? ?I've just released gnutls 3.3.29. This is a bug-fix release on the previous stable branch. * Version 3.3.29 (released 2018-02-16) ** libgnutls: Fixed issue which caused 1-byte handshake fragments to be refused. ???Reported by Bal?zs K?ri. ** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was ???used. Resolves gitlab issue #259. ** libgnutls: Use readdir() instead of readdir_r internally. The latter ???is deprecated and on our use we don't need readdir() to be thread safe ???(which it is in most common platforms). ** libgnutls: require strict DER encoding for certificates, OCSP requests, private ???keys, CRLs and certificate requests.??This backports the already default behavior ???from the 3.5.x branch, in order to reduce issues due to the complexity of BER rules. ** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by ???Vitezslav Cizek). ** libgnutls: Addressed issue in the accelerated code which may affect interoperability ???with versions of nettle > 3.4. ** p11tool: Fixed issue preventing the deletion of objects in batch mode. ** p11tool: Mark all generated objects as sensitive by default. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.29.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.29.tar.xz.sig Note that it has been signed with my openpgp key: pub???3104R/96865171 2008-05-04 [expires: 2028-04-29] uid??????????????????Nikos Mavrogiannopoulos gnutls.org> uid??????????????????Nikos Mavrogiannopoulos gmail.com> sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri Feb 16 08:40:03 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 16 Feb 2018 08:40:03 +0100 Subject: [gnutls-devel] gnutls 3.5.18 Message-ID: <1518766803.18151.3.camel@gnutls.org> Hello,? ?I've just released gnutls 3.5.18. This is a bug fix release on the current stable branch. * Version 3.5.18 (released 2018-02-16) ** libgnutls: Addressed issue in the accelerated code which may affect interoperability ???with versions of nettle > 3.4. ** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64. ** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by ???Vitezslav Cizek). ** p11tool: Fixed issue preventing the deletion of objects in batch mode. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ? https://www.gnupg.org/ftp/gcrypt/gnutls/v3.5/gnutls-3.5.18.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ??https://www.gnupg.org/ftp/gcrypt/gnutls/v3.5/gnutls-3.5.18.tar.xz.sig Note that it has been signed with my openpgp key: pub???3104R/96865171 2008-05-04 [expires: 2028-04-29] uid??????????????????Nikos Mavrogiannopoulos gnutls.org> uid??????????????????Nikos Mavrogiannopoulos gmail.com> sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri Feb 16 08:43:15 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 16 Feb 2018 08:43:15 +0100 Subject: [gnutls-devel] gnutls 3.6.2 Message-ID: <1518766995.18151.5.camel@gnutls.org> Hello,? ?I've just released gnutls 3.6.2. This is a bug fix release for the 3.6.x branch.? * Version 3.6.2 (released 2018-02-16) ** libgnutls: When verifying against a self signed certificate ignore issuer. ???That is, ignore issuer when checking the issuer's parameters strength, resolving ???issue #347 which caused self signed certificates to be additionally marked as of ???insufficient security level. ** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data ???MTU calculation now, it correctly accounts for the fixed overhead due to ???padding (as 1 byte), while at the same time considers the rest of the ???padding as part of data MTU. ** libgnutls: Address issue of loading of all PKCS#11 modules on startup ???on systems with a PKCS#11 trust store (as opposed to a file trust store). ???Introduced a multi-stage initialization which loads the trust modules, and ???other modules are deferred for the first pure PKCS#11 request. ** libgnutls: The SRP authentication will reject any parameters outside ???RFC5054. This protects any client from potential MitM due to insecure ???parameters. That also brings SRP in par with the RFC7919 changes to ???Diffie-Hellman. ** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters ???for SRP authentication. ** libgnutls: Addressed issue in the accelerated code affecting interoperability ???with versions of nettle >= 3.4. ** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64. ** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by ???Vitezslav Cizek). ** srptool: the --create-conf option no longer includes 1024-bit parameters. ** p11tool: Fixed the deletion of objects in batch mode. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ? https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.2.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ??https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.2.tar.xz.sig Note that it has been signed with my openpgp key: pub???3104R/96865171 2008-05-04 [expires: 2028-04-29] uid??????????????????Nikos Mavrogiannopoulos gnutls.org> uid??????????????????Nikos Mavrogiannopoulos gmail.com> sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From ametzler at bebt.de Sat Feb 17 10:56:00 2018 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 17 Feb 2018 10:56:00 +0100 Subject: [gnutls-devel] gnutls 3.6.2 In-Reply-To: <1518766995.18151.5.camel@gnutls.org> References: <1518766995.18151.5.camel@gnutls.org> Message-ID: <20180217095600.GA1243@argenau.bebt.de> On 2018-02-16 Nikos Mavrogiannopoulos wrote: > Hello,? > ?I've just released gnutls 3.6.2. This is a bug fix release for > the 3.6.x branch.? > * Version 3.6.2 (released 2018-02-16) [...] > ** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters > ???for SRP authentication. [...] > ** API and ABI modifications: > No changes since last version. Hello, afaict there were ABI changes: gnutls_srp_8192_group_generator: Added gnutls_srp_8192_group_prime: Added cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at bebt.de Sat Feb 17 19:01:48 2018 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 17 Feb 2018 19:01:48 +0100 Subject: [gnutls-devel] 3.6.2 testsuite error on mips and mipsel Message-ID: <20180217180148.GA1065@argenau.bebt.de> Hello, the srp test fails on both mips and mipsel: (sid_mips-dchroot)ametzler at minkus:~/GNUTLS/gnutls28-3.6.2/b4deb/tests$ ./srp testing: srp-1024 testing: srp-1536 testing: srp-2048 testing: srp-3072 testing: srp-4096 testing: srp-8192 client:157: client: Handshake failed server:242: server: Handshake has failed (The operation timed out) --verbose log attached. TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: srp-verbose.gz Type: application/gzip Size: 19500 bytes Desc: not available URL: From nmav at gnutls.org Sun Feb 18 11:25:54 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 18 Feb 2018 10:25:54 +0000 Subject: [gnutls-devel] 3.6.2 testsuite error on mips and mipsel In-Reply-To: <20180217180148.GA1065@argenau.bebt.de> References: <20180217180148.GA1065@argenau.bebt.de> Message-ID: Thanks. Could it be that the timeout is too low for 8k in the platform? If you change gnutls_handshake_set_timeout(session, 20 * 1000); with 40 or 60 seconds does it work? On Sat, Feb 17, 2018 at 7:02 PM Andreas Metzler wrote: > Hello, > > the srp test fails on both mips and mipsel: > (sid_mips-dchroot)ametzler at minkus:~/GNUTLS/gnutls28-3.6.2/b4deb/tests$ > ./srp > testing: srp-1024 > testing: srp-1536 > testing: srp-2048 > testing: srp-3072 > testing: srp-4096 > testing: srp-8192 > client:157: client: Handshake failed > server:242: server: Handshake has failed (The operation timed out) > > --verbose log attached. > > TIA, cu Andreas > -- > `What a good friend you are to him, Dr. Maturin. His other friends are > so grateful to you.' > `I sew his ears on from time to time, sure' > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ametzler at bebt.de Sun Feb 18 12:51:05 2018 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 18 Feb 2018 12:51:05 +0100 Subject: [gnutls-devel] 3.6.2 testsuite error on mips and mipsel In-Reply-To: References: <20180217180148.GA1065@argenau.bebt.de> Message-ID: <20180218115105.GA1243@argenau.bebt.de> On 2018-02-18 Nikos Mavrogiannopoulos wrote: > On Sat, Feb 17, 2018 at 7:02 PM Andreas Metzler wrote: >> the srp test fails on both mips and mipsel: >> (sid_mips-dchroot)ametzler at minkus:~/GNUTLS/gnutls28-3.6.2/b4deb/tests$ >> ./srp >> testing: srp-1024 >> testing: srp-1536 >> testing: srp-2048 >> testing: srp-3072 >> testing: srp-4096 >> testing: srp-8192 >> client:157: client: Handshake failed >> server:242: server: Handshake has failed (The operation timed out) > Thanks. Could it be that the timeout is too low for 8k in the platform? > If you change gnutls_handshake_set_timeout(session, 20 * 1000); > with 40 or 60 seconds does it work? Hello, You seem to be right. Increasing both instances of gnutls_handshake_set_timeout to 40 lets the test succeed. On the specific machine I tested on the fail/nonfail border is at about 26 (25.8 fails, 25.9 succeeds), so 40 should give a margin of error. I will upload a patched version to the Debian buildds and report results. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Sun Feb 18 20:58:37 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 18 Feb 2018 19:58:37 +0000 Subject: [gnutls-devel] gnutls 3.6.2 In-Reply-To: <20180217095600.GA1243@argenau.bebt.de> References: <1518766995.18151.5.camel@gnutls.org> <20180217095600.GA1243@argenau.bebt.de> Message-ID: Thank you. I've applied the patch to the git version of NEWS file. On Sat, Feb 17, 2018 at 11:15 AM Andreas Metzler wrote: > On 2018-02-16 Nikos Mavrogiannopoulos wrote: > > Hello, > > I've just released gnutls 3.6.2. This is a bug fix release for > > the 3.6.x branch. > > > * Version 3.6.2 (released 2018-02-16) > [...] > > ** libgnutls: Added the 8192-bit parameters of SRP to the accepted > parameters > > for SRP authentication. > > [...] > > ** API and ABI modifications: > > No changes since last version. > > Hello, > > afaict there were ABI changes: > > gnutls_srp_8192_group_generator: Added > gnutls_srp_8192_group_prime: Added > > cu Andreas > -- > `What a good friend you are to him, Dr. Maturin. His other friends are > so grateful to you.' > `I sew his ears on from time to time, sure' > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: