- Version update to 3.6.4:

** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
  ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
     gnutls_certificate_set_retrieve_function() which could not handle the case where
     no certificates were returned, or the callbacks were set to NULL (see #528).
  ** libgnutls: gnutls_handshake() on server returns early on handshake when no
     certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
     is specified.
  ** libgnutls: Added session ticket key rotation on server side with TOTP.
     The key set with gnutls_session_ticket_enable_server() is used as a
     master key to generate time-based keys for tickets. The rotation
     relates to the gnutls_db_set_cache_expiration() period.
  ** libgnutls: The 'record size limit' extension is added and preferred to the
     'max record size' extension when possible.
  ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
     This addresses the problem where the CA certificate doesn't have a subject key
     identifier whereas the end certificates have an authority key identifier (#569)
  ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
     gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
     and export GOST parameters in the "native" little endian format used for these
     curves. This is an intentional incompatible change with 3.6.3.
  ** libgnutls: Added support for seperately negotiating client and server certificate types
     as defined in RFC7250. This mechanism must be explicitly enabled via the
     GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().

OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=10
This commit is contained in:
Tomáš Chvátal 2018-10-15 08:27:49 +00:00 committed by Git OBS Bridge
parent 65aedfc27d
commit 60b4dea541
6 changed files with 35 additions and 7 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ed642b66a4ecf4851ab2d809cd1475c297b6201d8e8bd14b4d1c08b53ffca993
size 8010284

Binary file not shown.

3
gnutls-3.6.4.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c663a792fbc84349c27c36059181f2ca86c9442e75ee8b0ad72f5f9b35deab3a
size 8076364

BIN
gnutls-3.6.4.tar.xz.sig Normal file

Binary file not shown.

View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Mon Oct 15 08:26:48 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Version update to 3.6.4:
** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
gnutls_certificate_set_retrieve_function() which could not handle the case where
no certificates were returned, or the callbacks were set to NULL (see #528).
** libgnutls: gnutls_handshake() on server returns early on handshake when no
certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
is specified.
** libgnutls: Added session ticket key rotation on server side with TOTP.
The key set with gnutls_session_ticket_enable_server() is used as a
master key to generate time-based keys for tickets. The rotation
relates to the gnutls_db_set_cache_expiration() period.
** libgnutls: The 'record size limit' extension is added and preferred to the
'max record size' extension when possible.
** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
This addresses the problem where the CA certificate doesn't have a subject key
identifier whereas the end certificates have an authority key identifier (#569)
** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
and export GOST parameters in the "native" little endian format used for these
curves. This is an intentional incompatible change with 3.6.3.
** libgnutls: Added support for seperately negotiating client and server certificate types
as defined in RFC7250. This mechanism must be explicitly enabled via the
GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().
-------------------------------------------------------------------
Tue Sep 18 08:39:56 UTC 2018 - schwab@suse.de

View File

@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -20,8 +20,8 @@
%define gnutlsxx_sover 28
%define gnutls_dane_sover 0
# unbound isn't in SLE (bsc#1086428)
%if 0%{?is_opensuse}
# unbound isn't in SLE12 (bsc#1086428)
%if 0%{?is_opensuse} || 0%{?suse_version} >= 1500
%bcond_without dane
%else
%bcond_with dane
@ -29,7 +29,7 @@
%bcond_with tpm
%bcond_without guile
Name: gnutls
Version: 3.6.3
Version: 3.6.4
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1-or-later AND GPL-3.0-or-later