./security/gnutls, Transport Layer Security library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.6.12, Package name: gnutls-3.6.12, Maintainer: pkgsrc-users

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionally GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.


Required to run:
[archivers/lzo] [security/libtasn1] [devel/gmp] [devel/libcfg+] [security/mozilla-rootcerts] [security/nettle] [security/p11-kit] [textproc/libunistring]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: fa498b4d026e3ddfa74aa79adac27bfcd14e8b76
RMD160: f76e05c4a5f6c15277259b874bca475089c02630
Filesize: 5802.797 KB

Version history: (Expand)


CVS history: (Expand)


   2020-02-09 14:56:28 by Thomas Klausner | Files touched by this commit (3) | Package updated
Log message:
gnutls: update to 3.6.12.

* Version 3.6.12 (released 2020-02-01)

** libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
   to identify sessions that client request OCSP status request (#829).

** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
   signature algorithm (RFC 8032) under TLS (#86).

** libgnutls: Added the default-priority-string option to system configuration;
   it allows overriding the compiled-in default-priority-string.

** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
   draft-smyshlyaev-tls12-gost-suites-07).
   By default this ciphersuite is disabled. It can be enabled by adding
   +GOST to priority string. In the future this priority string may enable
   other GOST ciphersuites as well.  Note, that server will fail to negotiate
   GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
   is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
   are enabled on GnuTLS-based servers.

** libgnutls: added priority shortcuts for different GOST categories like
   CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.

** libgnutls: Reject certificates with invalid time fields. That is we reject
   certificates with invalid characters in Time fields, or invalid time formatting
   To continue accepting the invalid form compile with --disable-strict-der-time
   (#207, #870).

** libgnutls: Reject certificates which contain duplicate extensions. We were
   previously printing warnings when printing such a certificate, but that is
   not always sufficient to flag such certificates as invalid. Instead we now
   refuse to import them (#887).

** libgnutls: If a CA is found in the trusted list, check in addition to
   time validity, whether the algorithms comply to the expected level prior
   to accepting it. This addresses the problem of accepting CAs which would
   have been marked as insecure otherwise (#877).

** libgnutls: The min-verification-profile from system configuration applies
   for all certificate verifications, not only under TLS. The configuration can
   be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.

** libgnutls: The stapled OCSP certificate verification adheres to the convention
   used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.

** libgnutls: On client side only send OCSP staples if they have been requested
   by the server, and on server side always advertise that we support OCSP stapling
   (#876).

** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
   with gnutls_ocsp_req_t but const.

** certtool: Added the --verify-profile option to set a certificate
   verification profile. Use '--verify-profile low' for certificate verification
   to apply the 'NORMAL' verification profile.

** certtool: The add_extension template option is considered even when generating
   a certificate from a certificate request.

** API and ABI modifications:
GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added
GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added
gnutls_ocsp_req_const_t: Added
   2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836)
Log message:
*: Recursive revision bump for openssl 1.1.1.
   2019-12-06 15:00:09 by Nia Alarie | Files touched by this commit (8) | Package updated
Log message:
gnutls: Update to 3.6.11.1

Not sure of 3.6.11.1's specific changes - possibly fixing an incorrectly
generated tarball?

These changes from apply:

* Version 3.6.11 (released 2019-12-01)

** libgnutls: Use KERN_ARND for the system random number generator on NetBSD.
   This syscall provides an endless stream of random numbers from the kernel's
   ChaCha20-based random number generator, without blocking or requiring an open file
   descriptor.

** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client
   during resumption (#841).

** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to
   the empty string. This is a behavioral change of the API but it conforms
   to the RFC4648 expectations (#834).

** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than
   the block size. Fix backported from nettle.

** certtool: CRL distribution points will be set in CA certificates even when
   non self-signed (#765).

** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250).
   Key material can be set via the --rawpkkeyfile and --rawpkfile flags.

** API and ABI modifications:
No changes since last version.
   2019-10-04 19:25:54 by Nia Alarie | Files touched by this commit (10) | Package updated
Log message:
gnutls: Update to 3.6.10

* Version 3.6.10 (released 2019-09-29)

** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979)
   Deterministic signing can be enabled by setting
   GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*()
   functions (#94).

** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2
   functions that will perform in-place encryption/decryption on data buffers (#718).

** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under
   TLS1.3, if a timeout callback was not set using \ 
gnutls_transport_set_pull_timeout_function()
   (#823).

** libgnutls: added interoperability tests with gnutls 2.12.x; addressed
   issue with large record handling due to random padding (#811).

** libgnutls: the server now selects the highest TLS protocol version,
   if TLS 1.3 is enabled and the client advertises an older protocol version \ 
first (#837).

** libgnutls: fix non-PIC assembly on i386 (#818).

** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode
   and MAC generation based on GOST 28147-89 (IMIT). For description of the
   modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in
   RFC 7836.

** certtool: when outputting an encrypted private key do not insert the textual \ 
description
   of it. This fixes a regression since 3.6.5 (#840).

** API and ABI modifications:
gnutls_aead_cipher_encryptv2: Added
gnutls_aead_cipher_decryptv2: Added
GNUTLS_CIPHER_GOST28147_TC26Z_CNT: Added
GNUTLS_MAC_GOST28147_TC26Z_IMIT: Added
   2019-10-01 16:34:08 by Nia Alarie | Files touched by this commit (1)
Log message:
gnutls: No longer a GNU project
   2019-09-30 11:51:16 by Maya Rashish | Files touched by this commit (4) | Package updated
Log message:
gnutls: backport upstream commit to avoid text relocations on i386.

Regenerate asm files with -fPIC

PR pkg/54555: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and
text relocations on netbsd-9/i386

Bump PKGREVISION.
   2019-09-18 21:00:13 by Tobias Nygren | Files touched by this commit (1)
Log message:
gnutls: fix PLIST
   2019-09-18 17:27:05 by ng0 | Files touched by this commit (3)
Log message:
security/gnutls: Add ability to link against libunbound for DANE support.