diff options
author | Simon Josefsson <simon@josefsson.org> | 2010-04-22 09:13:47 +0200 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2010-04-22 09:13:47 +0200 |
commit | 143549d8eb1543c625a84cd1cac4d558bebd8139 (patch) | |
tree | ac80531a31e48778253df698802bd1cb41800cd0 /doc/announce.txt | |
parent | 064061add6e7b0aefa3830db6a4b943b572d85f5 (diff) | |
download | gnutls-143549d8eb1543c625a84cd1cac4d558bebd8139.tar.gz |
Prepare 2.10.0 release notes.
Diffstat (limited to 'doc/announce.txt')
-rw-r--r-- | doc/announce.txt | 465 |
1 files changed, 465 insertions, 0 deletions
diff --git a/doc/announce.txt b/doc/announce.txt new file mode 100644 index 0000000000..fcf638ccf3 --- /dev/null +++ b/doc/announce.txt @@ -0,0 +1,465 @@ +To: help-gnutls@gnu.org, gnutls-devel@gnu.org, info-gnu@gnu.org +Subject: GnuTLS 2.10.0 +<#part sign=pgpmime> +We are proud to announce a new stable GnuTLS release: Version 2.10.0. + +GnuTLS is a modern C library that implements the standard network +security protocol Transport Layer Security (TLS), for use by network +applications. GnuTLS is developed for GNU/Linux, but works on many +Unix-like systems and comes with a binary installer for Windows. + +The GnuTLS library is distributed under the terms of the GNU Lesser +General Public License version 2.1 (or later). The "extra" GnuTLS +library (which contains TLS/IA support, LZO compression and Libgcrypt +FIPS-mode handler), the OpenSSL compatibility library, the self tests +and the command line tools are all distributed under the GNU General +Public License version 3.0 (or later). The manual is distributed +under the GNU Free Documentation License version 1.3 (or later). + +The project page of the library is available at: + http://www.gnu.org/software/gnutls/ + +What's New +========== + +Version 2.10.0 is the first stable release on the 2.10.x branch and is +the result of 11 months of work on the experimental 2.9.x branch. The +GnuTLS 2.10.x branch replaces the GnuTLS 2.8.x branch as the supported +stable branch, although we will continue to support GnuTLS 2.8.x for +some time. + +** libgnutls: Time verification extended to trusted certificate list. +Unless new constant GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS flag is +specified. + +** certtool: Display postalCode and Name X.509 DN attributes correctly. +Based on patch by Pavan Konjarla. Adds new constant +GNUTLS_OID_X520_POSTALCODE and GNUTLS_OID_X520_NAME. + +** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746) +Solves the issue discussed in: +<http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and +<http://www.ietf.org/mail-archive/web/tls/current/msg03948.html>. +Note that to allow connecting to unpatched servers the full protection +is only enabled if the priority string %SAFE_RENEGOTIATION is +specified. You can check whether protection is in place by querying +gnutls_safe_renegotiation_status(). New error codes +GNUTLS_E_SAFE_RENEGOTIATION_FAILED and +GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added. + +** libgnutls: When checking openpgp self signature also check the signatures +** of all subkeys. +Ilari Liusvaara noticed and reported the issue and provided test +vectors as well. + +** libgnutls: Added cryptodev support (/dev/crypto). +Tested with http://www.logix.cz/michal/devel/cryptodev/. Added +benchmark utility for AES. Adds new error codes +GNUTLS_E_CRYPTODEV_IOCTL_ERROR and GNUTLS_E_CRYPTODEV_DEVICE_ERROR. + +** libgnutls: Exported API to access encryption and hash algorithms. +The new API functions are gnutls_cipher_decrypt, gnutls_cipher_deinit, +gnutls_cipher_encrypt, gnutls_cipher_get_block_size, +gnutls_cipher_init, gnutls_hash, gnutls_hash_deinit, gnutls_hash_fast, +gnutls_hash_get_len, gnutls_hash_init, gnutls_hash_output, +gnutls_hmac, gnutls_hmac_deinit, gnutls_hmac_fast, +gnutls_hmac_get_len, gnutls_hmac_init, gnutls_hmac_output. New API +constants are GNUTLS_MAC_SHA224 and GNUTLS_DIG_SHA224. + +** libgnutls: Added gnutls_certificate_set_verify_function() to allow +verification of certificate upon receipt rather than waiting until the +end of the handshake. + +** libgnutls: Don't send alerts during handshake. +Instead new error code GNUTLS_E_UNKNOWN_SRP_USERNAME is added. + +** certtool: Corrected two issues that affected certificate request generation. +(1) Null padding is added on integers (found thanks to Wilankar Trupti), +(2) In optional SignatureAlgorithm parameters field for DSA keys the DSA +parameters were added. Those were rejected by Verisign. Gnutls no longer adds +those parameters there since other implementations don't do either and having +them does not seem to offer anything (anyway you need the signer's certificate +to verify thus public key will be available). Found thanks to Boyan Kasarov. +This however has the side-effect that public key IDs shown by certtool are +now different than previous gnutls releases. +(3) the option --pgp-certificate-info will verify self signatures + +** certtool: Allow exporting of Certificate requests on DER format. + +** certtool: New option --no-crq-extensions to avoid extensions in CSRs. + +** gnutls-cli: Handle reading binary data from server. +Reported by and tiny patch from Vitaly Mayatskikh +<v.mayatskih@gmail.com> in +<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4096>. + +** minitasn1: Upgraded to libtasn1 version 2.6. + +** doc: The GTK-DOC manual is significantly improved. + +** libgnutls: Cleanups and several bug fixes. +Found by Steve Grubb and Tomas Mraz. + +** Link libgcrypt explicitly to certtool, gnutls-cli, gnutls-serv. + +** Fix --disable-valgrind-tests. +Reported by Ingmar Vanhassel in +<https://savannah.gnu.org/support/?107029>. + +** libgnutls: Fix for memory leaks on interrupted handshake. +Reported by Tang Tong. + +** libgnutls: Addition of support for TLS 1.2 signature algorithms +** extension and certificate verify field. +This requires changes for TLS 1.2 servers and clients that use +callbacks for certificate retrieval. They are now required to check +with gnutls_sign_algorithm_get_requested() whether the certificate +they send complies with the peer's preferences in signature +algorithms. + +** libgnutls: In server side when resuming a session do not overwrite the +** initial session data with the resumed session data. + +** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8 +** encryption. +This affects also PKCS #12 encoded files. This adds the following new +enums: GNUTLS_CIPHER_AES_192_CBC, GNUTLS_PKCS_USE_PBES2_AES_128, +GNUTLS_PKCS_USE_PBES2_AES_192, GNUTLS_PKCS_USE_PBES2_AES_256. + +** libgnutls: Fix PKCS#12 encoding. +The error you would get was "The OID is not supported.". Problem +introduced for the v2.8.x branch in 2.7.6. + +** certtool: Added the --pkcs-cipher option. +To explicitely specify the encryption algorithm to use. + +** tests: Added "pkcs12_encode" self-test to check PKCS#12 functions. + +** tests: Fix time bomb in chainverify self-test. +Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in +<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>. + +** tests: Fix expired cert in chainverify self-test. + +** libgnutls: TLS 1.2 server mode fixes. +Now interoperates against Opera. Contributed by Daiki Ueno. + +** libgnutlsxx: Fix link problems. +Tiny patch from Boyan Kasarov <bkasarov@gmail.com>. + +** guile: Compatibility with guile 2.x. +By Ludovic Courtes <ludovic.courtes@laas.fr>. + +** libgnutls: Enable Camellia ciphers by default. + +** libgnutls: Add new functions to extract X.509 Issuer Alternative Names. +The new functions are gnutls_x509_crt_get_issuer_alt_name2, +gnutls_x509_crt_get_issuer_alt_name, and +gnutls_x509_crt_get_issuer_alt_othername_oid. Contributed by Brad +Hards <bradh@frogmouth.net>. + +** libgnutls: Client-side TLS 1.2 and SHA-256 ciphersuites now works. +The new supported ciphersuites are AES-128/256 in CBC mode with +ANON-DH/RSA/DHE-DSS/DHE-RSA. Contributed by Daiki Ueno. Further, +SHA-256 is now the preferred default MAC (however it is only used with +TLS 1.2). + +** libgnutls: Make OpenPGP hostname checking work again. +The patch to resolve the X.509 CN/SAN issue accidentally broken +OpenPGP hostname comparison. + +** libgnutls: When printing X.509 certificates, handle XMPP SANs better. +Reported by Howard Chu <hyc@symas.com> in +<https://savannah.gnu.org/support/?106975>. + +** Fix use of deprecated types internally. +Use of deprecated types in GnuTLS from now on will lead to a compile +error, to prevent this from happening again. + +** libgnutls: Support for TLS tickets was contributed by Daiki Ueno. +The new APIs are gnutls_session_ticket_enable_client, +gnutls_session_ticket_enable_server, and +gnutls_session_ticket_key_generate. + +** gnutls-cli, gnutls-serv: New parameter --noticket to disable TLS tickets. + +** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. +By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS +into 1) not printing the entire CN/SAN field value when printing a +certificate and 2) cause incorrect positive matches when matching a +hostname against a certificate. Some CAs apparently have poor +checking of CN/SAN values and issue these (arguable invalid) +certificates. Combined, this can be used by attackers to become a +MITM on server-authenticated TLS sessions. The problem is mitigated +since attackers needs to get one certificate per site they want to +attack, and the attacker reveals his tracks by applying for a +certificate at the CA. It does not apply to client authenticated TLS +sessions. Research presented independently by Dan Kaminsky and Moxie +Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com> +for providing one part of the patch. [GNUTLS-SA-2009-4] [CVE-2009-2730]. + +** libgnutls: Fix rare failure in gnutls_x509_crt_import. +The function may fail incorrectly when an earlier certificate was +imported to the same gnutls_x509_crt_t structure. + +** libgnutls: Fix return value of gnutls_certificate_client_get_request_status. +Before it always returned false. Reported by Peter Hendrickson +<pdh@wiredyne.com> in +<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>. + +** libgnutls: Fix off-by-one size computation error in unknown DN printing. +The error resulted in truncated strings when printing unknown OIDs in +X.509 certificate DNs. Reported by Tim Kosse +<tim.kosse@filezilla-project.org> in +<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>. + +** libgnutls: Fix PKCS#12 decryption from password. +The encryption key derived from the password was incorrect for (on +average) 1 in every 128 input for random inputs. Reported by "Kukosa, +Tomas" <tomas.kukosa@siemens-enterprise.com> in +<http://permalink.gmane.org/gmane.network.gnutls.general/1663>. + +** libgnutls: Return correct bit lengths of some MPIs. +gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and +gnutls_dh_get_peers_public_bits. Before the reported value was +overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in +<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>. + +** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. +Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in +<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671> +and +<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>. + +** libgnutls: Relax checking of required libtasn1/libgcrypt versions. +Before we required that the runtime library used the same (or more +recent) libgcrypt/libtasn1 as it was compiled with. Now we just check +that the runtime usage is above the minimum required. Reported by +Marco d'Itri <md@linux.it> via Andreas Metzler +<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>. + +** tests: Added new self-test pkcs12_s2k_pem to detect MPI bit length error. + +** tests: Improved test vectors in self-test pkcs12_s2k. + +** tests: Added new self-test dn2 to detect off-by-one size error. + +** tests: Fix failure in "chainverify" because a certificate have expired. + +** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle. +Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from +<http://bugs.gentoo.org/272388>. + +** Reduce stack usage for some CRQ functions. + +** Doc fixes for CRQ functions. + +TLS Safe Renegotiation Support +============================== + +TBA + +API/ABI changes in GnuTLS 2.10 +============================== + +No offically supported interfaces have been modified or removed. The +library should be completely backwards compatible on both the source +and binary level. + +The following symbols have been added to the library: + +gnutls_certificate_set_verify_function: ADDED. +gnutls_cipher_decrypt: ADDED. +gnutls_cipher_deinit: ADDED. +gnutls_cipher_encrypt: ADDED. +gnutls_cipher_get_block_size: ADDED. +gnutls_cipher_init: ADDED. +gnutls_hash: ADDED. +gnutls_hash_deinit: ADDED. +gnutls_hash_fast: ADDED. +gnutls_hash_get_len: ADDED. +gnutls_hash_init: ADDED. +gnutls_hash_output: ADDED. +gnutls_hmac: ADDED. +gnutls_hmac_deinit: ADDED. +gnutls_hmac_fast: ADDED. +gnutls_hmac_get_len: ADDED. +gnutls_hmac_init: ADDED. +gnutls_hmac_output: ADDED. +gnutls_safe_negotiation_set_initial: ADDED. +gnutls_safe_renegotiation_set: ADDED. +gnutls_safe_renegotiation_status: ADDED. +gnutls_sign_algorithm_get_requested: ADDED. + +gnutls_x509_crt_get_issuer_alt_name2: ADDED. +gnutls_x509_crt_get_issuer_alt_name: ADDED. +gnutls_x509_crt_get_issuer_alt_othername_oid: ADDED. + +gnutls_session_ticket_key_generate: ADDED. +gnutls_session_ticket_enable_client: ADDED. +gnutls_session_ticket_enable_server: ADDED. + +In addition to the functions above, the following non-function +definitions have been added to the header files: + +GNUTLS_DIG_SHA224: ADDED. +GNUTLS_E_CRYPTODEV_DEVICE_ERROR: ADDED. +GNUTLS_E_CRYPTODEV_IOCTL_ERROR: ADDED. +GNUTLS_E_SAFE_RENEGOTIATION_FAILED: ADDED. +GNUTLS_E_UNKNOWN_SRP_USERNAME: ADDED. +GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: ADDED. +GNUTLS_MAC_SHA224: ADDED. +GNUTLS_OID_X520_NAME: ADDED. +GNUTLS_OID_X520_POSTALCODE: ADDED. +GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: ADDED. +GNUTLS_VERSION_MAX: ADDED. + +GNUTLS_CIPHER_AES_192_CBC: ADDED to gnutls/gnutls.h. +GNUTLS_PKCS_USE_PBES2_AES_128: ADDED to gnutls/x509.h. +GNUTLS_PKCS_USE_PBES2_AES_192: ADDED to gnutls/x509.h. +GNUTLS_PKCS_USE_PBES2_AES_256: ADDED to gnutls/x509.h. +GNUTLS_BAG_SECRET: ADDED to gnutls/pkcs12.h. +GNUTLS_DIG_UNKNOWN: ADDED to gnutls/gnutls.h. + +Getting the Software +==================== + +GnuTLS may be downloaded from one of the mirror sites or direct from +<ftp://ftp.gnu.org/gnu/gnutls/>. The list of mirrors can be found at +<http://www.gnu.org/software/gnutls/download.html>. + +Here are the BZIP2 compressed sources (6.0MB): + + ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.10.0.tar.bz2 + http://ftp.gnu.org/gnu/gnutls/gnutls-2.10.0.tar.bz2 + +Here are OpenPGP detached signatures signed using key 0xB565716F: + + ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.10.0.tar.bz2.sig + http://ftp.gnu.org/gnu/gnutls/gnutls-2.10.0.tar.bz2.sig + +Note, that we don't distribute gzip compressed tarballs. + +In order to check that the version of GnuTLS which you are going to +install is an original and unmodified one, you should verify the OpenPGP +signature. You can use the command + + gpg --verify gnutls-2.10.0.tar.bz2.sig + +This checks whether the signature file matches the source file. You +should see a message indicating that the signature is good and made by +that signing key. Make sure that you have the right key, either by +checking the fingerprint of that key with other sources or by checking +that the key has been signed by a trustworthy other key. The signing +key can be identified with the following information: + +pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] + Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F +uid Simon Josefsson <simon@josefsson.org> +uid Simon Josefsson <jas@extundo.com> +sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] + +The key is available from: + http://josefsson.org/key.txt + dns:b565716f.josefsson.org?TYPE=CERT + +Alternatively, after successfully verifying the OpenPGP signature of +this announcement, you could verify that the files match the following +checksum values. The values are for SHA-1 and SHA-224 respectively: + +7c102253bb4e817f393b9979a62c647010312eac gnutls-2.10.0.tar.bz2 + +57ee306f261ed331b8386baf854f737fbf24da7b3bcc32331d34176b gnutls-2.10.0.tar.bz2 + +Documentation +============= + +The manual is available online at: + + http://www.gnu.org/software/gnutls/documentation.html + +In particular the following formats are available: + + HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html + PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf + +For developers there is a GnuTLS API reference manual formatted using +the GTK-DOC tools: + + http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html + +Community +========= + +If you need help to use GnuTLS, or want to help others, you are invited +to join our help-gnutls mailing list, see: + + http://lists.gnu.org/mailman/listinfo/help-gnutls + +If you wish to participate in the development of GnuTLS, you are invited +to join our gnutls-dev mailing list, see: + + http://lists.gnu.org/mailman/listinfo/gnutls-devel + +Windows installer +================= + +GnuTLS has been ported to the Windows operating system, and a binary +installer is available. The installer contains DLLs for application +development, manuals, examples, and source code. The installer uses +libgpg-error v1.7, libgcrypt v1.4.5, libtasn1 v2.6, and GnuTLS +v2.10.0. + +For more information about GnuTLS for Windows: + http://josefsson.org/gnutls4win/ + +The Windows binary installer and PGP signature: + http://josefsson.org/gnutls4win/gnutls-2.10.0.exe (15MB) + http://josefsson.org/gnutls4win/gnutls-2.10.0.exe.sig + +The checksum values for SHA-1 and SHA-224 are: + +8a7965168c542edec3259469b6c0e87a9a2b4626 gnutls-2.10.0.exe + +5f76c907eac768b714dc7187a17f87c0393439cf1ef44ab145aab6e3 gnutls-2.10.0.exe + +A ZIP archive containing the Windows binaries: + http://josefsson.org/gnutls4win/gnutls-2.10.0.zip (5.3MB) + http://josefsson.org/gnutls4win/gnutls-2.10.0.zip.sig + +A Debian mingw32 package is also available: + http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB) + +The checksum values for SHA-1 and SHA-224 are: + +aca9f9f1adba09b952e095039595d4c5d9e67d46 mingw32-gnutls_2.10.0-1_all.deb + +269020738a9f36135e3f231a94cdb2cabc0edd3658092d76b87c27dc mingw32-gnutls_2.10.0-1_all.deb + +Internationalization +==================== + +The GnuTLS library messages have been translated into Czech, Dutch, +French, German, Italian, Malay, Polish, Simplified Chinese, Swedish, +and Vietnamese. We welcome the addition of more translations. + +Support +======= + +Improving GnuTLS is costly, but you can help! We are looking for +organizations that find GnuTLS useful and wish to contribute back. You +can contribute by reporting bugs, improve the software, or donate money +or equipment. + +Commercial support contracts for GnuTLS are available, and they help +finance continued maintenance. Simon Josefsson Datakonsult AB, a +Stockholm based privately held company, is currently funding GnuTLS +maintenance. We are always looking for interesting development +projects. See http://josefsson.org/ for more details. + +The GnuTLS service directory is available at: + + http://www.gnu.org/software/gnutls/commercial.html + +Happy Hacking, +Simon |