forked from pool/gnutls
Accepting request 528289 from Base:System
1 OBS-URL: https://build.opensuse.org/request/show/528289 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=104
This commit is contained in:
Git OBS Bridge
@@ -1,3 +1,97 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 20 12:36:16 UTC 2017 - vcizek@suse.com
|
||||
|
||||
- Disable flaky dtls_resume test on Power
|
||||
* add gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 18 11:47:23 UTC 2017 - astieger@suse.com
|
||||
|
||||
- GnuTLS 3.6.0:
|
||||
* Introduce a lock-free random generator which operates per-
|
||||
thread and eliminates random-generator related bottlenecks in
|
||||
multi-threaded operation.
|
||||
* Replace the Salsa20 random generator with one based on CHACHA.
|
||||
The goal is to reduce code needed in cache (CHACHA is also
|
||||
used for TLS), and the number of primitives used by the
|
||||
library. That does not affect the AES-DRBG random generator
|
||||
used in FIPS140-2 mode.
|
||||
* Add support for RSA-PSS key type as well as signatures in
|
||||
certificates, and TLS key exchange
|
||||
* Add support for Ed25519 signing in certificates and TLS key
|
||||
exchange following draft-ietf-tls-rfc4492bis-17
|
||||
* Enable X25519 key exchange by default, following
|
||||
draft-ietf-tls-rfc4492bis-17.
|
||||
* Add support for Diffie-Hellman group negotiation following
|
||||
RFC7919.
|
||||
* Introduce various sanity checks on certificate import
|
||||
* Introduce gnutls_x509_crt_set_flags(). This function can set
|
||||
flags in the crt structure. The only flag supported at the
|
||||
moment is GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the
|
||||
certificate sanity checks on import.
|
||||
* PKIX certificates with unknown critical extensions are rejected
|
||||
on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS
|
||||
* Refuse to generate a certificate with an illegal version, or an
|
||||
illegal serial number. That is, gnutls_x509_crt_set_version()
|
||||
and gnutls_x509_crt_set_serial(), will fail on input considered
|
||||
to be invalid in RFC5280.
|
||||
* Call to gnutls_record_send() and gnutls_record_recv() prior to
|
||||
handshake being complete are now refused
|
||||
* Add support for PKCS#12 files with no salt (zero length) in
|
||||
their password encoding, and PKCS#12 files using SHA384 and
|
||||
SHA512 as MAC.
|
||||
* libgnutls: Exported functions to encode and decode DSA and ECDSA
|
||||
r,s values.
|
||||
* Add new callback setting function to gnutls_privkey_t for
|
||||
external keys. The new function (gnutls_privkey_import_ext4),
|
||||
allows signing in addition to previous algorithms (RSA PKCS#1
|
||||
1.5, DSA, ECDSA), with RSA-PSS and Ed25519 keys.
|
||||
* Introduce the %VERIFY_ALLOW_BROKEN and
|
||||
%VERIFY_ALLOW_SIGN_WITH_SHA1 priority string options. These
|
||||
allows enabling all broken and SHA1-based signature algorithms
|
||||
in certificate verification, respectively.
|
||||
* 3DES-CBC is no longer included in the default priorities list.
|
||||
It has to be explicitly enabled, e.g., with a string like
|
||||
"NORMAL:+3DES-CBC".
|
||||
* SHA1 was marked as insecure for signing certificates.
|
||||
Verification of certificates signed with SHA1 is now considered
|
||||
insecure and will fail, unless flags intended to enable broken
|
||||
algorithms are set. Other uses of SHA1 are still allowed.
|
||||
* RIPEMD160 was marked as insecure for certificate signatures.
|
||||
Verification of certificates signed with RIPEMD160 hash
|
||||
algorithm is now considered insecure and will fail, unless
|
||||
flags intended to enable broken algorithms are set.
|
||||
* No longer enable SECP192R1 and SECP224R1 by default on TLS
|
||||
handshakes. These curves were rarely used for that purpose,
|
||||
provide no advantage over x25519 and were deprecated by TLS 1.3.
|
||||
* Remove support for DEFLATE, or any other compression method.
|
||||
* OpenPGP authentication was removed; the resulting library is ABI
|
||||
compatible, with the openpgp related functions being stubs that
|
||||
fail on invocation.
|
||||
Drop gnutls-broken-openpgp-tests.patch, no longer required.
|
||||
* Remove support for libidn (i.e., IDNA2003); gnutls can now be
|
||||
compiled only with libidn2 which provides IDNA2008.
|
||||
* certtool: The option '--load-ca-certificate' can now accept
|
||||
PKCS#11 URLs in addition to files.
|
||||
* certtool: The option '--load-crl' can now be used when
|
||||
generating PKCS#12 files (i.e., in conjunction with '--to-p12' option).
|
||||
* certtool: Keys with provable RSA and DSA parameters are now
|
||||
only read and exported from PKCS#8 form, following
|
||||
draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
|
||||
This removes support for the previous a non-standard key format.
|
||||
* certtool: Added support for generating, printing and handling
|
||||
RSA-PSS and Ed25519 keys and certificates.
|
||||
* certtool: the parameters --rsa, --dsa and --ecdsa to
|
||||
--generate-privkey are now deprecated, replaced by the
|
||||
--key-type option.
|
||||
* p11tool: The --generate-rsa, --generate-ecc and --generate-dsa
|
||||
options were replaced by the --generate-privkey option.
|
||||
* psktool: Generate 256-bit keys by default.
|
||||
* gnutls-server: Increase request buffer size to 16kb, and added
|
||||
the --alpn and --alpn-fatal options, allowing testing of ALPN
|
||||
negotiation.
|
||||
* Enables FIPS 140-2 mode during build
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 11 10:37:44 UTC 2017 - dimstar@opensuse.org
|
||||
|
||||
|
||||
Reference in New Issue
Block a user