[gnutls-help] gnutls 3.7.5

Zoltan Fridrich zfridric at redhat.com
Fri May 13 09:12:34 CEST 2022 

Hello,

We have just released gnutls-3.7.5. This is a bug fix and enhancement 
release on the 3.7.x branch.

We would like to thank everyone who contributed in this release:
Tim Kosse, Tatsuhiro Tsujikawa, Brian Wickman, František Krenželok, 
Andreas Metzler,
Benjamin Herrenschmidt, Pedro Monreal, Tobias Heider, Sam James, Daiki 
Ueno and Zoltan Fridrich

The detailed list of changes follows:

* Version 3.7.5 (released 2022-05-15)

** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 
priority
     modifier have been added to disable session ticket usage in TLS 1.2 
because
     it does not provide forward secrecy (#477). On the other hand, 
since session
     tickets in TLS 1.3 do provide forward secrecy, the PFS priority 
string now
     only disables session tickets in TLS 1.2. Future backward 
incompatibility:
     in the next major release of GnuTLS, we plan to remove those flag and
     modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect 
TLS 1.2.

** gnutls-cli, gnutls-serv: Channel binding for printing information
     has been changed from tls-unique to tls-exporter as tls-unique is
     not supported in TLS 1.3.

** libgnutls: Certificate sanity checks has been enhanced to make
     gnutls more RFC 5280 compliant (!1583).
     Following changes were included:
- critical extensions are parsed when loading x509
       certificate to prohibit any random octet strings.
       Requires strict-x509 configure option to be enabled
     - garbage bits in Key Usage extension are prohibited
- empty DirectoryStrings in Distinguished name structures
       of Issuer and Subject name are prohibited

** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
     According to the section 2 of SP800-131A Rev.2, 3DES algorithm
     will be disallowed for encryption after December 31, 2023:
     https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final

** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312).
     The existing AEAD API that works in a scatter-gather fashion
     (gnutls_aead_cipher_encryptv2) has been extended to support 
AES-SIV-CMAC.
     For further optimization, new function (gnutls_aead_cipher_set_key) 
has been
     added to set key on the existing AEAD handle without re-allocation.

** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
     when used in TLS (#1311).

** The configure arguments for Brotli and Zstandard (zstd) support
     have changed to reflect the previous help text: they are now
     --with-brotli/--with-zstd respectively (#1342).

** Detecting the Zstandard (zstd) library in configure has been
     fixed (#1343).

** API and ABI modifications:
GNUTLS_NO_TICKETS_TLS12: New flag
gnutls_aead_cipher_set_key: New function

Getting the Software
================

GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/ <https://www.gnupg.org/ftp/gcrypt/>
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html <http://www.gnutls.org/download.html>

Here are the XZ compressed sources:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz 
<https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz>

Here are OpenPGP detached signatures signed using keys:
5D46CB0F763405A7053556F47A75A648B3F9220C
and
462225C3B46F34879FC8496CD605848ED7E69871
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz.sig 
<https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz.sig>

Note that it has been signed with my openpgp key:
pub   ed25519 2021-12-23 [SC] [expires: 2023-12-23]
       5D46CB0F763405A7053556F47A75A648B3F9220C
uid           [ultimate] Zoltan Fridrich <zfridric at redhat.com>
sub   cv25519 2021-12-23 [E] [expires: 2023-12-23]

and Daiki Uenos openpgp key:
pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25]
       462225C3B46F34879FC8496CD605848ED7E69871
uid           [ultimate] Daiki Ueno <ueno at unixuser.org 
<http://lists.gnupg.org/mailman/listinfo/gnutls-help>>
uid           [ultimate] Daiki Ueno <ueno at gnu.org 
<http://lists.gnupg.org/mailman/listinfo/gnutls-help>>
sub rsa4096 2010-02-04 [E]

Regards,
Zoltan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20220513/5fc3a725/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x7A75A648B3F9220C.asc
Type: application/pgp-keys
Size: 669 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20220513/5fc3a725/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20220513/5fc3a725/attachment-0001.sig>

More information about the Gnutls-help mailing list