From ueno at gnu.org Wed Jun 3 16:01:10 2020 From: ueno at gnu.org (Daiki Ueno) Date: Wed, 03 Jun 2020 16:01:10 +0200 Subject: [gnutls-help] gnutls 3.6.14 Message-ID: <87tuzs1c61.fsf-ueno@gnu.org> Hello, We've just released gnutls 3.6.14. This is a security and bug fix release on the stable 3.6.x branch. We'd like to thank everyone who contributed in this release: Dmitry Baryshkov, Daiki Ueno, Nikos Mavrogiannopoulos, Steve Lhomme, Anderson Toshiyuki Sasaki, Pierre Ossman, Tim R?hsen, Bernhard M. Wiedemann, and rrivers2. The detailed list of changes follows; they can be seen in more detail in our milestone tracker: https://gitlab.com/gnutls/gnutls/-/milestones/28 * Version 3.6.14 (released 2020-06-03) ** libgnutls: Fixed insecure session ticket key construction, since 3.6.4. The TLS server would not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (#1011). [GNUTLS-SA-2020-06-03, CVSS: high] ** libgnutls: Fixed handling of certificate chain with cross-signed intermediate CA certificates (#1008). ** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). ** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority Key Identifier (AKI) properly (#989, #991). ** certtool: PKCS #7 attributes are now printed with symbolic names (!1246). ** libgnutls: Added several improvements on Windows Vista and later releases (!1257, !1254, !1256). Most notably the system random number generator now uses Windows BCrypt* API if available (!1255). ** libgnutls: Use accelerated AES-XTS implementation if possible (!1244). Also both accelerated and non-accelerated implementations check key block according to FIPS-140-2 IG A.9 (!1233). ** libgnutls: Added support for AES-SIV ciphers (#463). ** libgnutls: Added support for 192-bit AES-GCM cipher (!1267). ** libgnutls: No longer use internal symbols exported from Nettle (!1235) ** API and ABI modifications: GNUTLS_CIPHER_AES_128_SIV: Added GNUTLS_CIPHER_AES_256_SIV: Added GNUTLS_CIPHER_AES_192_GCM: Added gnutls_pkcs7_print_signature_info: Added Getting the Software ==================== GnuTLS may be downloaded directly from < ftp://ftp.gnutls.org/gcrypt/gnutls/>;. A list of GnuTLS mirrors can be found at < http://www.gnutls.org/download.html> Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.14.tar.xz Here are OpenPGP detached signatures signed using key 0x462225C3B46F34879FC8496CD605848ED7E69871: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.14.tar.xz.sig Note that it has been signed with my openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25] 462225C3B46F34879FC8496CD605848ED7E69871 uid [ultimate] Daiki Ueno uid [ultimate] Daiki Ueno sub rsa4096 2010-02-04 [E] Regards, -- Daiki Ueno, on behalf of the GnuTLS development team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available URL: From leimaohui at cn.fujitsu.com Thu Jun 4 10:36:16 2020 From: leimaohui at cn.fujitsu.com (Lei, Maohui) Date: Thu, 4 Jun 2020 08:36:16 +0000 Subject: [gnutls-help] A question about the license of gnutls Message-ID: <2ab5e66da48a425ca2194d4e1ca64e11@G08CNEXMBPEKD05.g08.fujitsu.local> Hi, I has a question about the license of gnutls, I don't know whether it is a bug. In gnutls-3.6.13/LICENSE, the content is as following: ------------------------------------------------------------------ LICENSING ========= Since GnuTLS version 3.1.10, the core library is released under the GNU Lesser General Public License (LGPL) version 2.1 or later (see doc/COPYING.LESSER for the license terms). The GNU LGPL applies to the main GnuTLS library, while the included applications as well as gnutls-openssl library are under the GNU GPL version 3. The gnutls library is located in the lib/ and libdane/ directories, while the applications in src/ and, the gnutls-openssl library is at extra/. ...... ------------------------------------------------------------------ I think it means that all the license in lib/ is under the license of LGPL-2.1+. But the license of lib/x509/krb5.h and lib/x509/krb5.c is GPL-3.0+. Obviously, it is conflict with the content of LICENSE file. So, I don't know is it a bug or do I understand. Best regards Lei Maohui From ametzler at bebt.de Fri Jun 5 19:14:48 2020 From: ametzler at bebt.de (Andreas Metzler) Date: Fri, 5 Jun 2020 19:14:48 +0200 Subject: [gnutls-help] gnutls 3.6.14 In-Reply-To: <87tuzs1c61.fsf-ueno@gnu.org> References: <87tuzs1c61.fsf-ueno@gnu.org> Message-ID: <20200605171448.GB1434@argenau.bebt.de> On 2020-06-03 Daiki Ueno wrote: > Hello, > We've just released gnutls 3.6.14. This is a security and bug fix > release on the stable 3.6.x branch. [...] > ** API and ABI modifications: > GNUTLS_CIPHER_AES_128_SIV: Added > GNUTLS_CIPHER_AES_256_SIV: Added > GNUTLS_CIPHER_AES_192_GCM: Added > gnutls_pkcs7_print_signature_info: Added That list seems to incomplete: gnutls_ext_get_name2() is also new. And enum gnutls_init_flags_t got @GNUTLS_NO_AUTO_SEND_TICKET. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at bebt.de Sun Jun 7 10:20:20 2020 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 7 Jun 2020 10:20:20 +0200 Subject: [gnutls-help] Disabling SHA-1 in Debian oldstable/stretch Message-ID: <20200607082020.GA536553@argenau.bebt.de> Hello, Debian stretch 09 will probably get its last gnutls update before reaching EOL. We are pondering whether we should follow Ubuntu's example (USN-4233-1 / USN-4233-2) and stop trusting signatures using SHA-1 by default and adding supprt for %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings. We currently tend to do so, what would appreciate a second opinion from GnuTLS upstream. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ueno at gnu.org Sun Jun 7 18:27:29 2020 From: ueno at gnu.org (Daiki Ueno) Date: Sun, 07 Jun 2020 18:27:29 +0200 Subject: [gnutls-help] gnutls 3.6.14 In-Reply-To: <20200605171448.GB1434@argenau.bebt.de> (Andreas Metzler's message of "Fri, 5 Jun 2020 19:14:48 +0200") References: <87tuzs1c61.fsf-ueno@gnu.org> <20200605171448.GB1434@argenau.bebt.de> Message-ID: <87img296z2.fsf-ueno@gnu.org> Andreas Metzler writes: > On 2020-06-03 Daiki Ueno wrote: >> Hello, >> We've just released gnutls 3.6.14. This is a security and bug fix >> release on the stable 3.6.x branch. > > [...] >> ** API and ABI modifications: >> GNUTLS_CIPHER_AES_128_SIV: Added >> GNUTLS_CIPHER_AES_256_SIV: Added >> GNUTLS_CIPHER_AES_192_GCM: Added >> gnutls_pkcs7_print_signature_info: Added > > That list seems to incomplete: > gnutls_ext_get_name2() is also new. And enum gnutls_init_flags_t got > @GNUTLS_NO_AUTO_SEND_TICKET. Thank you for the report. I'm including the fix in: https://gitlab.com/gnutls/gnutls/-/merge_requests/1283/diffs?commit_id=8b4b3e6b0d69449b1e374aac8abc8a49177b1640 We should probably add a check for this kind of issues. Regards, -- Daiki Ueno