./security/gnutls, Transport Layer Security library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 3.6.12nb1, Package name: gnutls-3.6.12nb1, Maintainer: pkgsrc-users

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionally GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.

Required to run:
[archivers/lzo] [security/libtasn1] [devel/gmp] [devel/libcfg+] [security/mozilla-rootcerts] [security/nettle] [security/p11-kit] [textproc/libunistring]

Required to build:

Master sites:

SHA1: fa498b4d026e3ddfa74aa79adac27bfcd14e8b76
RMD160: f76e05c4a5f6c15277259b874bca475089c02630
Filesize: 5802.797 KB

Version history: (Expand)

CVS history: (Expand)

   2020-03-22 13:21:59 by Roland Illig | Files touched by this commit (1)
Log message:
security/gnutls: remove unnecessary comment from Makefile
   2020-03-22 13:21:13 by Roland Illig | Files touched by this commit (1)
Log message:
security/gnutls: remove nonexistent files from REPLACE_BASH
   2020-03-08 17:51:54 by Thomas Klausner | Files touched by this commit (2833)
Log message:
*: recursive bump for libffi
   2020-02-09 14:56:28 by Thomas Klausner | Files touched by this commit (3) | Package updated
Log message:
gnutls: update to 3.6.12.

* Version 3.6.12 (released 2020-02-01)

** libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
   to identify sessions that client request OCSP status request (#829).

** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
   signature algorithm (RFC 8032) under TLS (#86).

** libgnutls: Added the default-priority-string option to system configuration;
   it allows overriding the compiled-in default-priority-string.

** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
   By default this ciphersuite is disabled. It can be enabled by adding
   +GOST to priority string. In the future this priority string may enable
   other GOST ciphersuites as well.  Note, that server will fail to negotiate
   GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
   is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
   are enabled on GnuTLS-based servers.

** libgnutls: added priority shortcuts for different GOST categories like

** libgnutls: Reject certificates with invalid time fields. That is we reject
   certificates with invalid characters in Time fields, or invalid time formatting
   To continue accepting the invalid form compile with --disable-strict-der-time
   (#207, #870).

** libgnutls: Reject certificates which contain duplicate extensions. We were
   previously printing warnings when printing such a certificate, but that is
   not always sufficient to flag such certificates as invalid. Instead we now
   refuse to import them (#887).

** libgnutls: If a CA is found in the trusted list, check in addition to
   time validity, whether the algorithms comply to the expected level prior
   to accepting it. This addresses the problem of accepting CAs which would
   have been marked as insecure otherwise (#877).

** libgnutls: The min-verification-profile from system configuration applies
   for all certificate verifications, not only under TLS. The configuration can
   be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.

** libgnutls: The stapled OCSP certificate verification adheres to the convention
   used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.

** libgnutls: On client side only send OCSP staples if they have been requested
   by the server, and on server side always advertise that we support OCSP stapling

** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
   with gnutls_ocsp_req_t but const.

** certtool: Added the --verify-profile option to set a certificate
   verification profile. Use '--verify-profile low' for certificate verification
   to apply the 'NORMAL' verification profile.

** certtool: The add_extension template option is considered even when generating
   a certificate from a certificate request.

** API and ABI modifications:
gnutls_ocsp_req_const_t: Added
   2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836)
Log message:
*: Recursive revision bump for openssl 1.1.1.
   2019-12-06 15:00:09 by Nia Alarie | Files touched by this commit (8) | Package updated
Log message:
gnutls: Update to

Not sure of's specific changes - possibly fixing an incorrectly
generated tarball?

These changes from apply:

* Version 3.6.11 (released 2019-12-01)

** libgnutls: Use KERN_ARND for the system random number generator on NetBSD.
   This syscall provides an endless stream of random numbers from the kernel's
   ChaCha20-based random number generator, without blocking or requiring an open file

** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client
   during resumption (#841).

** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to
   the empty string. This is a behavioral change of the API but it conforms
   to the RFC4648 expectations (#834).

** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than
   the block size. Fix backported from nettle.

** certtool: CRL distribution points will be set in CA certificates even when
   non self-signed (#765).

** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250).
   Key material can be set via the --rawpkkeyfile and --rawpkfile flags.

** API and ABI modifications:
No changes since last version.
   2019-10-04 19:25:54 by Nia Alarie | Files touched by this commit (10) | Package updated
Log message:
gnutls: Update to 3.6.10

* Version 3.6.10 (released 2019-09-29)

** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979)
   Deterministic signing can be enabled by setting
   GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*()
   functions (#94).

** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2
   functions that will perform in-place encryption/decryption on data buffers (#718).

** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under
   TLS1.3, if a timeout callback was not set using \ 

** libgnutls: added interoperability tests with gnutls 2.12.x; addressed
   issue with large record handling due to random padding (#811).

** libgnutls: the server now selects the highest TLS protocol version,
   if TLS 1.3 is enabled and the client advertises an older protocol version \ 
first (#837).

** libgnutls: fix non-PIC assembly on i386 (#818).

** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode
   and MAC generation based on GOST 28147-89 (IMIT). For description of the
   modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in
   RFC 7836.

** certtool: when outputting an encrypted private key do not insert the textual \ 
   of it. This fixes a regression since 3.6.5 (#840).

** API and ABI modifications:
gnutls_aead_cipher_encryptv2: Added
gnutls_aead_cipher_decryptv2: Added
   2019-10-01 16:34:08 by Nia Alarie | Files touched by this commit (1)
Log message:
gnutls: No longer a GNU project