Opened 2 years ago
Closed 2 years ago
#16533 closed enhancement (fixed)
gnutls-3.7.5
| Reported by: | Bruce Dubbs | Owned by: | Xi Ruoyao |
|---|---|---|---|
| Priority: | normal | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (9)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 2 years ago
comment:6 by , 2 years ago
Looks like 3.7.5 is not officially released yet: https://www.gnutls.org/ That could be the reason.
comment:8 by , 2 years ago
Version 3.7.5 (released 2022-05-15)
- libgnutls: The
GNUTLS_NO_TICKETS_TLS12flag and%NO_TICKETS_TLS12priority modifier have been added to disable session ticket usage in TLS 1.2 because it does not provide forward secrecy (#477). On the other hand, since session tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now only disables session tickets in TLS 1.2. Future backward incompatibility: in the next major release of GnuTLS, we plan to remove those flag and modifier, and makeGNUTLS_NO_TICKETSand%NO_TICKETSonly affect TLS 1.2.
- gnutls-cli, gnutls-serv: Channel binding for printing information has been changed from tls-unique to tls-exporter as tls-unique is not supported in TLS 1.3.
- libgnutls: Certificate sanity checks has been enhanced to make gnutls more RFC 5280 compliant (!1583). Following changes were included:
- critical extensions are parsed when loading x509 certificate to prohibit any random octet strings. Requires strict-x509 configure option to be enabled
- garbage bits in Key Usage extension are prohibited
- empty DirectoryStrings in Distinguished name structures of Issuer and Subject name are prohibited
- libgnutls: Removed 3DES from FIPS approved algorithms (
#1353). According to the section 2 of SP800-131A Rev.2, 3DES algorithm will be disallowed for encryption after December 31, 2023: https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
- libgnutls: Optimized support for AES-SIV-CMAC algorithms (
#1217,#1312). The existing AEAD API that works in a scatter-gather fashion (gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC. For further optimization, new function (gnutls_aead_cipher_set_key) has been added to set key on the existing AEAD handle without re-allocation.
- libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode when used in TLS (
#1311).
- The configure arguments for Brotli and Zstandard (zstd) support have changed to reflect the previous help text: they are now
--with-brotli/--with-zstdrespectively (#1342).
- Detecting the Zstandard (zstd) library in configure has been fixed (
#1343).
- API and ABI modifications:
- GNUTLS_NO_TICKETS_TLS12: New flag
- gnutls_aead_cipher_set_key: New function
comment:9 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at r11.1-512-gb310c5448b. curl left open for SA.
Note:
See TracTickets
for help on using tickets.
I'm getting
403 forbiddendownloading this (from my home or my virtual server in California).