From zfridric at redhat.com Fri Aug 4 12:32:17 2023 From: zfridric at redhat.com (Zoltan Fridrich) Date: Fri, 4 Aug 2023 12:32:17 +0200 Subject: [gnutls-help] gnutls 3.8.1 Message-ID: <97143748-614e-2164-a5b5-6a98d2a31bee@redhat.com> Hello, We have just released gnutls-3.8.1. This is a bug fix and enhancement release on the 3.8.x branch. We would like to thank everyone who contributed in this release: Pedro Monreal, Radostin Stoyanov, xuraoqing, Christopher Baines, Peter Leitmann, Yongye Zhu, Ajit Singh, Tobias Heider,Pravek Sharma Atharva S Marathe, Andreas Metzler, Wilbur Wetterquarz, Elias Gustafsson, Richard W.M. Jones, Daiki Ueno and Zoltan Fridrich The detailed list of changes follows: * Version 3.8.1 (released 2023-08-03) ** libgnutls: ClientHello extensions are randomized by default ?? To make fingerprinting harder, TLS extensions in ClientHello ?? messages are shuffled. As this behavior may cause compatibility ?? issue with legacy applications that do not accept the last ?? extension without payload, the behavior can be reverted with the %NO_SHUFFLE_EXTENSIONS priority keyword. ** libgnutls: Add support for RFC 9258 external PSK importer. ?? This enables to deploy the same PSK across multiple TLS versions ?? (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application ?? needs to set up a callback that formats the PSK identity using gnutls_psk_format_imported_identity(). ** libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to %GNUTLS_NO_DEFAULT_EXTENSIONS. ** libgnutls: Add additional PBKDF limit checks in FIPS mode as ?? defined in SP 800-132. Minimum salt length is 128 bits and ?? minimum iterations bound is 1000 for PBKDF in FIPS mode. ** libgnutls: Add a mechanism to control whether to enforce extended ?? master secret (RFC 7627). FIPS 140-3 mandates the use of TLS ?? session hash (extended master secret, EMS) in TLS 1.2. To enforce ?? this, a new priority keyword %FORCE_SESSION_HASH is added and if ?? it is set and EMS is not set, the peer aborts the connection. This ?? behavior is the default in FIPS mode, though it can be overridden ?? through the configuration file with the "tls-session-hash" option. ?? In either case non-EMS PRF is reported as a non-approved operation ?? through the FIPS service indicator. ** New option --attime to specify current time. ?? To make testing with different timestamp to the system easier, the ?? tools doing certificate verification now provide a new option ?? --attime, which takes an arbitrary time. ** API and ABI modifications: gnutls_psk_client_credentials_function3: New typedef gnutls_psk_server_credentials_function3: New typedef gnutls_psk_set_server_credentials_function3: New function gnutls_psk_set_client_credentials_function3: New function gnutls_psk_format_imported_identity: New function GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags Getting the Software ================ GnuTLS may be downloaded directly from https://www.gnupg.org/ftp/gcrypt/ A list of GnuTLS mirrors can be found at http://www.gnutls.org/download.html Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.1.tar.xz Here are OpenPGP detached signatures signed using keys: 5D46CB0F763405A7053556F47A75A648B3F9220C and 462225C3B46F34879FC8496CD605848ED7E69871 https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.1.tar.xz.sig Note that it has been signed with my openpgp key: pub ? ed25519 2021-12-23 [SC] [expires: 2023-12-23] ? ? ? 5D46CB0F763405A7053556F47A75A648B3F9220C uid ? ? ? ? ? [ultimate] Zoltan Fridrich sub ? cv25519 2021-12-23 [E] [expires: 2023-12-23] and Daiki Uenos openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25] 462225C3B46F34879FC8496CD605848ED7E69871 uid ?? ? ???? [ultimate] Daiki Ueno > uid?? ??? ??? [ultimate] Daiki Ueno > sub rsa4096 2010-02-04 [E] Regards, Zoltan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x7A75A648B3F9220C.asc Type: application/pgp-keys Size: 669 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From zfridric at redhat.com Fri Aug 4 12:40:24 2023 From: zfridric at redhat.com (Zoltan Fridrich) Date: Fri, 4 Aug 2023 12:40:24 +0200 Subject: [gnutls-help] gnutls 3.7.10 Message-ID: <471c8082-06fa-76f4-aadb-9b4d33a41cd4@redhat.com> Hello, We have just released gnutls-3.7.10. This is a bug fix release on the 3.7.x branch. We would like to thank everyone who contributed in this release: Andreas Metzler, Daiki Ueno and Zoltan Fridrich The detailed list of changes follows: * Version 3.7.10 (released 2023-08-03) ** libgnutls: Fixed removal of duplicate certificates during verification. ** libgnutls: Fixed checking on hash algorithm used in ECDSA in FIPS mode. ** libgnutls: Mark composite signature API non-approved in FIPS mode. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from https://www.gnupg.org/ftp/gcrypt/ A list of GnuTLS mirrors can be found at http://www.gnutls.org/download.html Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.10.tar.xz Here are OpenPGP detached signatures signed using keys: 5D46CB0F763405A7053556F47A75A648B3F9220C and 462225C3B46F34879FC8496CD605848ED7E69871 https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.10.tar.xz.sig Note that it has been signed with my openpgp key: pub ? ed25519 2021-12-23 [SC] [expires: 2023-12-23] ? ? ? 5D46CB0F763405A7053556F47A75A648B3F9220C uid ? ? ? ? ? [ultimate] Zoltan Fridrich sub ? cv25519 2021-12-23 [E] [expires: 2023-12-23] and Daiki Uenos openpgp key: pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25] 462225C3B46F34879FC8496CD605848ED7E69871 uid ?? ? ???? [ultimate] Daiki Ueno > uid?? ??? ??? [ultimate] Daiki Ueno > sub rsa4096 2010-02-04 [E] Regards, Zoltan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x7A75A648B3F9220C.asc Type: application/pgp-keys Size: 669 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From simon at josefsson.org Thu Aug 24 15:32:41 2023 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 24 Aug 2023 15:32:41 +0200 Subject: [gnutls-help] guile-gnutls-4.0.0 released [stable] Message-ID: <87sf888t1i.fsf@kaka.sjd.se> This is to announce guile-gnutls-4.0.0, a stable release. Guile-GnuTLS provides Guile bindings for the GnuTLS library. There have been 13 commits by 2 people in the 33 days since 3.7.14. See the NEWS below for a brief summary. Thanks to everyone who has contributed! The following people contributed changes to this release: Simon Josefsson (10) Vivien Kraus (3) Happy Hacking, Simon ================================================================== Project homepage: https://gitlab.com/gnutls/guile The release is available here: https://gitlab.com/gnutls/guile/-/releases/v4.0.0 Documentation: https://gnutls.gitlab.io/guile/manual/ https://gnutls.gitlab.io/guile/manual/gnutls-guile.html https://gnutls.gitlab.io/guile/manual/gnutls-guile.pdf For a summary of changes and contributors, see: https://gitlab.com/gnutls/guile/-/commits/v4.0.0?ref_type=tags or run this command from a git-cloned guile-gnutls directory: git shortlog v3.7.14..v4.0.0 Here are the compressed sources and a GPG detached signature: https://ftpmirror.gnu.org/gnutls/guile-gnutls-4.0.0.tar.gz https://ftpmirror.gnu.org/gnutls/guile-gnutls-4.0.0.tar.gz.sig Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the SHA1 and SHA256 checksums: 5d8a96654fbdf798fd23cd234dee13e9359c4400 guile-gnutls-4.0.0.tar.gz W0y5JgMgduw0a7XAvA0CMflo/g9WWRPMFpNLt5Ovsjk= guile-gnutls-4.0.0.tar.gz Verify the base64 SHA256 checksum with cksum -a sha256 --check from coreutils-9.2 or OpenBSD's cksum since 2007. Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify guile-gnutls-4.0.0.tar.gz.sig The signature should match the fingerprint of the following key: pub ed25519 2019-03-20 [SC] B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE uid Simon Josefsson If that command fails because you don't have the required public key, or that public key has expired, try the following commands to retrieve or refresh it, and then rerun the 'gpg --verify' command. gpg --locate-external-key simon at josefsson.org gpg --recv-keys 51722B08FE4745A2 wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=guile-gnutls&download=1' | gpg --import - As a last resort to find the key, you can try the official GNU keyring: wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg gpg --keyring gnu-keyring.gpg --verify guile-gnutls-4.0.0.tar.gz.sig This release was bootstrapped with the following tools: Autoconf 2.71 Automake 1.16.5 Makeinfo 6.8 Libtoolize 2.4.7 NEWS * Noteworthy changes in release 4.0.0 (2023-08-24) [stable] ** Fix automake warnings. ** Indent Guile code. ** Work around GnuTLS 3.8.1 bug wrt missing GNUTLS_NO_EXTENSIONS. ** Changed encoding of source files from ISO-8859-1 to UTF-8. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: