#9914: gnutls-3.6.1
-----------------------------+-------------------------
Reporter: pierre.labastie | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: normal | Milestone: 8.2
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-----------------------------+-------------------------
New point version:
{{{
Hello,
I've just released gnutls 3.6.1. This is a bug fix release for
the 3.6.x branch. The releases on this branch will continue on a
bi-monthly period.
* Version 3.6.1 (released 2017-10-21)
** libgnutls: Fixed interoperability issue with openssl when safe
renegotiation was
used. Resolves gitlab issue #259.
** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
gnutls_x509_crq_sign, were modified to sign with a better algorithm
than
SHA1. They will now sign with an algorithm that corresponds to the
security
level of the signer's key.
** libgnutls: gnutls_x509_*_sign2() functions and
gnutls_x509_*_privkey_sign()
accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will
signal
the function to auto-detect an appropriate hash algorithm to use.
** libgnutls: Removed support for signature algorithms using SHA2-224 in
TLS.
TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
in TLS 1.2. As such, no reason to keep supporting it.
** libgnutls: Refuse to use client certificates containing disallowed
algorithms for a session. That reverts a change on 3.5.5, which allowed
a client to use DSA-SHA1 due to his old DSA certificate, without
requiring him
to enable DSA-SHA1 (and thus make it acceptable for the server's
certificate).
The previous approach was to allow a smooth move for client
infrastructure
after the DSA algorithm became disabled by default, and is no longer
necessary
as DSA is now being universally depracated.
** libgnutls: Refuse to resume a session which had a different SNI
advertised. That
improves RFC6066 support in server side. Reported by Thomas Klute.
** p11tool: Mark all generated objects as sensitive by default.
** p11tool: added options --sign-params and --hash. This allows testing
signature with multiple algorithms, including RSA-PSS.
** API and ABI modifications:
No changes since last version.
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/9914>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
