doc: mention ClientHello extensions shuffling

Signed-off-by: Daiki Ueno <ueno@gnu.org>

2 files changed, 13 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 331c8074c8..5f6e45a814 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,15 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
+* Version 3.8.1 (unreleased)
+
+** libgnutls: ClientHello extensions are randomized by default
+   To make fingerprinting harder, TLS extensions in ClientHello
+   messages are shuffled. As this behavior may cause compatibility
+   issue with legacy applications that do not accept the last
+   extension without payload, the behavior can be reverted with the
+   %NO_SHUFFLE_EXTENSIONS priority keyword.
+
 * Version 3.8.0 (released 2023-02-09)
 
 ** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 77727a44ec..692cf7cde0 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1552,6 +1552,10 @@ that TLS 1.2 requires extensions to be used, as well as safe
 renegotiation thus this option must be used with care. When this option
 is set no versions later than TLS1.2 can be negotiated.
 
+@item %NO_SHUFFLE_EXTENSIONS @tab
+will prevent randomizing the order of ClientHello extensions. By
+default, those extensions are randomized to make fingerprinting harder.
+
 @item %NO_STATUS_REQUEST @tab
 will prevent sending of the TLS status_request extension in client side.