./security/gnutls, GNU Transport Layer Security library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.6.2, Package name: gnutls-3.6.2, Maintainer: pkgsrc-users

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionally GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.


Required to run:
[archivers/lzo] [security/libtasn1] [devel/gmp] [devel/libcfg+] [security/nettle] [security/p11-kit] [textproc/libunistring]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: 24e5a416ce320945a2515619f3c2f0f6f2290ddc
RMD160: 8f08c2f8e4957338b5efcb40d3584870a53741e1
Filesize: 7903.617 KB

Version history: (Expand)


CVS history: (Expand)


   2018-07-06 18:15:28 by Patrick Welche | Files touched by this commit (7) | Package updated
Log message:
Update gnutls to 3.6.2

* Version 3.6.2 (released 2018-02-16)

** libgnutls: When verifying against a self signed certificate ignore issuer.
   That is, ignore issuer when checking the issuer's parameters strength, resolving
   issue #347 which caused self signed certificates to be additionally marked as of
   insufficient security level.

** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
   MTU calculation now, it correctly accounts for the fixed overhead due to
   padding (as 1 byte), while at the same time considers the rest of the
   padding as part of data MTU.

** libgnutls: Address issue of loading of all PKCS#11 modules on startup
   on systems with a PKCS#11 trust store (as opposed to a file trust store).
   Introduced a multi-stage initialization which loads the trust modules, and
   other modules are deferred for the first pure PKCS#11 request.

** libgnutls: The SRP authentication will reject any parameters outside
   RFC5054. This protects any client from potential MitM due to insecure
   parameters. That also brings SRP in par with the RFC7919 changes to
   Diffie-Hellman.

** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
   for SRP authentication.

** libgnutls: Addressed issue in the accelerated code affecting interoperability
   with versions of nettle >= 3.4.

** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.

** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
   Vitezslav Cizek).

** srptool: the --create-conf option no longer includes 1024-bit parameters.

** p11tool: Fixed the deletion of objects in batch mode.

** API and ABI modifications:
gnutls_srp_8192_group_generator: Added
gnutls_srp_8192_group_prime: Added

* Version 3.6.1 (released 2017-10-21)

** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
   used. Resolves gitlab issue #259.

** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
   gnutls_x509_crq_sign, were modified to sign with a better algorithm than
   SHA1. They will now sign with an algorithm that corresponds to the security
   level of the signer's key.

** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
   accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
   the function to auto-detect an appropriate hash algorithm to use.

** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
   TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
   in TLS 1.2. As such, no reason to keep supporting it.

** libgnutls: Refuse to use client certificates containing disallowed
   algorithms for a session. That reverts a change on 3.5.5, which allowed
   a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
   to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
   The previous approach was to allow a smooth move for client infrastructure
   after the DSA algorithm became disabled by default, and is no longer necessary
   as DSA is now being universally deprecated.

** libgnutls: Refuse to resume a session which had a different SNI advertised. That
   improves RFC6066 support in server side. Reported by Thomas Klute.

** p11tool: Mark all generated objects as sensitive by default.

** p11tool: added options --sign-params and --hash. This allows testing
   signature with multiple algorithms, including RSA-PSS.

** API and ABI modifications:
No changes since last version.
   2018-06-04 18:12:52 by Thomas Klausner | Files touched by this commit (1) | Package updated
Log message:
gnutls: Bump PKGREVISION for dependency removal
   2018-06-04 14:45:48 by Leonardo Taccari | Files touched by this commit (1)
Log message:
gnutls: Fix build if devel/autogen package is installed

Without including the autogen bl3 if devel/autogen package was
installed autogen (the tool) was used but then the build failed
because it tried to include <autoopts/options.h> unconditionally.

Add `--enable-local-libopts' to CONFIGURE_ARGS to avoid that.
   2018-06-04 13:16:12 by Youri Mouton | Files touched by this commit (1)
Log message:
Remove autogen dependency and make pkglint happy.
   2018-04-29 08:03:44 by David A. Holland | Files touched by this commit (1) | Package updated
Log message:
Bump PKGREVISION for previous.
   2018-04-29 06:09:08 by David A. Holland | Files touched by this commit (1)
Log message:
Set BUILDLINK_API_DEPENDS.gmp to require gmp>=5.0, per PR 52250.
Otherwise on Solaris it finds a really old builtin gmp and fails.
   2018-04-20 00:12:25 by Thomas Klausner | Files touched by this commit (1)
Log message:
Commit missing part of gnutls recursive bump.

Noted by Patrick Welche.
   2018-04-17 15:28:53 by Thomas Klausner | Files touched by this commit (2)
Log message:
gnutls: enable p11-kit.

PKCS#11 support is needed by glib-networking.