forked from pool/gnutls
Accepting request 295655 from Base:System
- updated to 3.4.0 (released 2015-04-08) ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251) ciphersuites. The former are enabled by default, the latter need to be explicitly enabled, since they reduce the overall security level. ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. That is currently provided as technology preview and is not enabled by default, since there are no assigned ciphersuite points by IETF and there is no guarrantee of compatibility between draft versions. The ciphersuite priority string to enable it is "+CHACHA20-POLY1305". ** libgnutls: Added support for encrypt-then-authenticate in CBC ciphersuites (RFC7366 -taking into account its errata text). This is enabled by default and can be disabled using the %NO_ETM priority string. ** libgnutls: Added support for the extended master secret (triple-handshake fix) following draft-ietf-tls-session-hash-02. ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h). ** libgnutls: SSL 3.0 is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+VERS-SSL3.0". ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+ARCFOUR-128". ** libgnutls: DSA signatures and DHE-DSS are no longer included in the default priorities list. They have to be explicitly enabled, e.g., with a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The DSA ciphersuites were dropped because they had no deployment at all on the internet, to justify their inclusion. ** libgnutls: The priority string EXPORT was completely removed. The string OBS-URL: https://build.opensuse.org/request/show/295655 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=83
This commit is contained in:
Git OBS Bridge
145
gnutls.changes
145
gnutls.changes
@@ -1,3 +1,140 @@
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Apr 12 10:16:33 UTC 2015 - meissner@suse.com
|
||||
|
||||
- updated to 3.4.0 (released 2015-04-08)
|
||||
|
||||
** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
|
||||
ciphersuites. The former are enabled by default, the latter need to be
|
||||
explicitly enabled, since they reduce the overall security level.
|
||||
|
||||
** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
|
||||
draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
|
||||
That is currently provided as technology preview and is not enabled by
|
||||
default, since there are no assigned ciphersuite points by IETF and there
|
||||
is no guarrantee of compatibility between draft versions. The ciphersuite
|
||||
priority string to enable it is "+CHACHA20-POLY1305".
|
||||
|
||||
** libgnutls: Added support for encrypt-then-authenticate in CBC
|
||||
ciphersuites (RFC7366 -taking into account its errata text). This is
|
||||
enabled by default and can be disabled using the %NO_ETM priority
|
||||
string.
|
||||
|
||||
** libgnutls: Added support for the extended master secret
|
||||
(triple-handshake fix) following draft-ietf-tls-session-hash-02.
|
||||
|
||||
** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
|
||||
|
||||
** libgnutls: SSL 3.0 is no longer included in the default priorities
|
||||
list. It has to be explicitly enabled, e.g., with a string like
|
||||
"NORMAL:+VERS-SSL3.0".
|
||||
|
||||
** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
|
||||
list. It has to be explicitly enabled, e.g., with a string like
|
||||
"NORMAL:+ARCFOUR-128".
|
||||
|
||||
** libgnutls: DSA signatures and DHE-DSS are no longer included in the
|
||||
default priorities list. They have to be explicitly enabled, e.g., with
|
||||
a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
|
||||
DSA ciphersuites were dropped because they had no deployment at all
|
||||
on the internet, to justify their inclusion.
|
||||
|
||||
** libgnutls: The priority string EXPORT was completely removed. The string
|
||||
was already defunc as support for the EXPORT ciphersuites was removed in
|
||||
GnuTLS 3.2.0.
|
||||
|
||||
** libgnutls: Added API to utilize system specific private keys in
|
||||
"gnutls/system-keys.h". It is currently provided as technology preview
|
||||
and is restricted to windows CNG keys.
|
||||
|
||||
** libgnutls: gnutls_x509_crt_check_hostname() and friends will use
|
||||
RFC6125 comparison of hostnames. That introduces a dependency on libidn.
|
||||
|
||||
** libgnutls: Depend on p11-kit 0.23.1 to comply with the final
|
||||
PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21).
|
||||
|
||||
** libgnutls: Depend on nettle 3.1.
|
||||
|
||||
** libgnutls: Use getrandom() or getentropy() when available. That
|
||||
avoids the complexity of file descriptor handling and issues with
|
||||
applications closing all open file descriptors on startup.
|
||||
|
||||
** libgnutls: Use pthread_atfork() to detect fork when available.
|
||||
|
||||
** libgnutls: The gnutls_handshake() process will enforce a timeout by
|
||||
default.
|
||||
|
||||
** libgnutls: If a key purpose (extended key usage) is specified for verification,
|
||||
it is applied into intermediate certificates. The verification result
|
||||
GNUTLS_CERT_PURPOSE_MISMATCH is also introduced.
|
||||
|
||||
** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in
|
||||
combination with PKCS #11, or TPM URLs, it will utilize the provided
|
||||
password as PIN if required. That removes the requirement for the
|
||||
application to set a callback for PINs in that case.
|
||||
|
||||
** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are
|
||||
restricted to the corresponding protocols only, and the VERS-ALL
|
||||
string is introduced to catch all possible protocols.
|
||||
|
||||
** libgnutls: Added helper functions to obtain information on PKCS #8
|
||||
structures.
|
||||
|
||||
** libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t
|
||||
will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED.
|
||||
|
||||
** libgnutls: Added functions to export and set the record state. That
|
||||
allows for gnutls_record_send() and recv() to be offloaded (to kernel,
|
||||
hardware or any other subsystem).
|
||||
|
||||
** libgnutls: Added the ability to register application specific URL
|
||||
types, which express certificates and keys using gnutls_register_custom_url().
|
||||
|
||||
** libgnutls: Added API to override existing ciphers, digests and MACs, e.g.,
|
||||
to override AES-GCM using a system-specific accelerator. That is, (crypto.h)
|
||||
gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(),
|
||||
gnutls_crypto_register_mac(), and gnutls_crypto_register_digest().
|
||||
|
||||
** libgnutls: Added gnutls_ext_register() to register custom extensions.
|
||||
Contributed by Thierry Quemerais.
|
||||
|
||||
** libgnutls: Added gnutls_supplemental_register() to register custom
|
||||
supplemental data handshake messages. Contributed by Thierry Quemerais.
|
||||
|
||||
** libgnutls-openssl: it is no longer built by default.
|
||||
|
||||
|
||||
** certtool: Added --p8-info option, which will print PKCS #8 information
|
||||
even if the password is not available.
|
||||
|
||||
** certtool: --key-info option will print PKCS #8 encryption information
|
||||
when available.
|
||||
|
||||
** certtool: Added the --key-id and --fingerprint options.
|
||||
|
||||
** certtool: Added the --verify-hostname, --verify-email and --verify-purpose
|
||||
options to be used in certificate chain verification, to simulate verification
|
||||
for specific hostname and key purpose (extended key usage).
|
||||
|
||||
** certtool: --p12-info option will print PKCS #12 MAC and cipher information
|
||||
when available.
|
||||
|
||||
** certtool: it will print the A-label (ACE) names in addition to UTF-8.
|
||||
|
||||
** p11tool: added options --set-id and --set-label.
|
||||
|
||||
** gnutls-cli: added options --priority-list and --save-cert.
|
||||
|
||||
** guile: Deprecated priority API has been removed. The old priority API,
|
||||
which had been deprecated for some time, is now gone; use 'set-session-priorities!'
|
||||
instead.
|
||||
|
||||
** guile: Remove RSA parameters and related procedures. This API had been
|
||||
deprecated.
|
||||
|
||||
** guile: Fix compilation on MinGW. Previously only the static version of the
|
||||
'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 1 14:26:31 UTC 2015 - meissner@suse.com
|
||||
|
||||
@@ -31,6 +168,14 @@ Wed Apr 1 14:26:31 UTC 2015 - meissner@suse.com
|
||||
gnutls_server_name_set(). That will disable the Server Name Indication.
|
||||
Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2
|
||||
|
||||
- new main library major version .so.30
|
||||
- requires new libnettle >= 3.1, p11-kit-devel >= 0.23.1
|
||||
- Now need to configure --enable-openssl-compatibility (might go away)
|
||||
- added gnutls-fix-double-mans.patch: avoid double installing manpages
|
||||
- dropped gnutls-3.0.26-skip-test-fwrite.patch: does not seem to be needed
|
||||
anymore
|
||||
- install_info_delete moved from %postun to %preun
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 25 20:52:43 UTC 2015 - astieger@suse.com
|
||||
|
||||
|
||||
Reference in New Issue
Block a user