./security/gnutls, GNU Transport Layer Security library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 3.6.3nb2, Package name: gnutls-3.6.3nb2, Maintainer: pkgsrc-users

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionally GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.

Required to run:
[archivers/lzo] [security/libtasn1] [devel/gmp] [devel/libcfg+] [security/nettle] [security/p11-kit] [textproc/libunistring]

Required to build:

Master sites:

SHA1: ac96787a7fbd550a2b201e64c0e752821e90fed7
RMD160: 108848d1b51e0d81ac1b2fdce596222d486fc737
Filesize: 7822.543 KB

Version history: (Expand)

CVS history: (Expand)

   2018-09-27 20:32:35 by Tobias Nygren | Files touched by this commit (1)
Log message:
gnutls: be explicit about --without-idn
   2018-09-21 16:20:12 by Thomas Klausner | Files touched by this commit (1)
Log message:
gnutls: add another REPLACE_BASH so the tests all run through
   2018-08-22 11:48:07 by Thomas Klausner | Files touched by this commit (3558)
Log message:
Recursive bump for perl5-5.28.0
   2018-08-20 08:01:26 by Thomas Klausner | Files touched by this commit (1) | Package updated
Log message:
gnutls: Fix path to bash in installed files.

   2018-08-19 11:16:01 by Thomas Klausner | Files touched by this commit (1)
Log message:
gnutls: remove obsolete configure argument
   2018-08-19 08:28:39 by Thomas Klausner | Files touched by this commit (1)
Log message:
gnutls: build-depend on bash for the tests.

Replace interpreter in more shell scripts. Gets tests further along.
   2018-08-16 13:05:47 by Thomas Klausner | Files touched by this commit (4) | Package updated
Log message:
gnutls: update to 3.6.3.

* Version 3.6.3 (released 2018-07-16)

** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version
   negotiation, post handshake authentication, length hiding, multiple OCSP support,
   consistent ciphersuite support across protocols, hello retry requests, ability
   to adjust key shares via gnutls_init() flags, certificate authorities extension,
   and key usage limits. TLS1.3 draft-28 support can be enabled by default if
   the option --enable-tls13-support is given to configure script.

** libgnutls: Apply compatibility settings for existing applications running \ 
with TLS1.2 or
   earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority \ 
   TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority
   strings, then TLS 1.3 negotiation will be disabled if the session is associated
   only with an anonymous credentials structure.

** Added support for Russian Public Key Infrastructure according to RFCs \ 
   This adds support for using GOST keys for digital signatures and under \ 
PKCS#7, PKCS#12,
   and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 \ 
   256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC \ 
   and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836).

** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers
   as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from \ 
the default
   priority strings, as they are undefined under TLS1.3 and they provide not \ 
   over other options in earlier protocols.

** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled
   by specifying --enable-ssl3-support on configure script.

** libgnutls: Introduced function to switch the current FIPS140-2 operational
   mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2

** libgnutls: Introduced low-level function to assist applications attempting client
   hello extension parsing, prior to GnuTLS' parsing of the message.

** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
   modifications to the certificate. That prevents DER re-encoding issues with \ 
   encoded certificates, or other DER incompatibilities to affect a TLS session.
   Relates with #403

** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
   which are preferred by the server. That unfortunately has complicated semantics
   as TLS1.2 requires specific ordering of the groups based on the ciphersuite \ 
   which could make group order unpredictable if TLS1.3 is negotiated.

** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen
   and Adi Shamir reported that the existing counter-measures had certain issues and
   were insufficient when the attacker has additional access to the CPU cache and
   performs a chosen-plaintext attack. This affected the legacy CBC \ 
ciphersuites. [CVSS: medium]

** Introduced the %FORCE_ETM priority string option. This option prevents the \ 
   of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.

** libgnutls: gnutls_privkey_import_ext4() was enhanced with the

** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
   gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
   unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
   change for these functions which make them err towards safety.

** libgnutls: improved aarch64 cpu features detection by using getauxval().

** certtool: It is now possible to specify certificate and serial CRL numbers greater
   than 2**63-2 as a hex-encoded string both when prompted and in a template file.
   Default certificate serial numbers are now fully random. Default CRL
   numbers include more random bits and are larger than in previous GnuTLS versions.
   Since CRL numbers are required to be monotonic, specify suitable CRL numbers \ 
   if you intend to later downgrade to previous versions as it was not possible
   to specify large CRL numbers in previous versions of certtool.
   2018-07-06 18:15:28 by Patrick Welche | Files touched by this commit (7) | Package updated
Log message:
Update gnutls to 3.6.2

* Version 3.6.2 (released 2018-02-16)

** libgnutls: When verifying against a self signed certificate ignore issuer.
   That is, ignore issuer when checking the issuer's parameters strength, resolving
   issue #347 which caused self signed certificates to be additionally marked as of
   insufficient security level.

** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
   MTU calculation now, it correctly accounts for the fixed overhead due to
   padding (as 1 byte), while at the same time considers the rest of the
   padding as part of data MTU.

** libgnutls: Address issue of loading of all PKCS#11 modules on startup
   on systems with a PKCS#11 trust store (as opposed to a file trust store).
   Introduced a multi-stage initialization which loads the trust modules, and
   other modules are deferred for the first pure PKCS#11 request.

** libgnutls: The SRP authentication will reject any parameters outside
   RFC5054. This protects any client from potential MitM due to insecure
   parameters. That also brings SRP in par with the RFC7919 changes to

** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
   for SRP authentication.

** libgnutls: Addressed issue in the accelerated code affecting interoperability
   with versions of nettle >= 3.4.

** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.

** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
   Vitezslav Cizek).

** srptool: the --create-conf option no longer includes 1024-bit parameters.

** p11tool: Fixed the deletion of objects in batch mode.

** API and ABI modifications:
gnutls_srp_8192_group_generator: Added
gnutls_srp_8192_group_prime: Added

* Version 3.6.1 (released 2017-10-21)

** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
   used. Resolves gitlab issue #259.

** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
   gnutls_x509_crq_sign, were modified to sign with a better algorithm than
   SHA1. They will now sign with an algorithm that corresponds to the security
   level of the signer's key.

** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
   accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
   the function to auto-detect an appropriate hash algorithm to use.

** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
   TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
   in TLS 1.2. As such, no reason to keep supporting it.

** libgnutls: Refuse to use client certificates containing disallowed
   algorithms for a session. That reverts a change on 3.5.5, which allowed
   a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
   to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
   The previous approach was to allow a smooth move for client infrastructure
   after the DSA algorithm became disabled by default, and is no longer necessary
   as DSA is now being universally deprecated.

** libgnutls: Refuse to resume a session which had a different SNI advertised. That
   improves RFC6066 support in server side. Reported by Thomas Klute.

** p11tool: Mark all generated objects as sensitive by default.

** p11tool: added options --sign-params and --hash. This allows testing
   signature with multiple algorithms, including RSA-PSS.

** API and ABI modifications:
No changes since last version.