Log message:
Update to 2.6.4:

* Version 2.6.4 (released 2009-02-06)

** libgnutls: Accept chains where intermediary certs are trusted.
Before GnuTLS needed to validate the entire chain back to a
self-signed certificate.  GnuTLS will now stop looking when it has
found an intermediary trusted certificate.  The new behaviour is
useful when chains, for example, contains a top-level CA, an
intermediary CA signed using RSA-MD5, and an end-entity certificate.
To avoid chain validation errors due to the RSA-MD5 cert, you can
explicitly add the intermediary RSA-MD5 cert to your trusted certs.
The signature on trusted certificates are not checked, so the chain
has a chance to validate correctly.  Reported by "Douglas E. Engert"
<deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.

** libgnutls: result_size in gnutls_hex_encode now holds
the size of the result. Report by John Brooks <special@dereferenced.net>.

** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
Reported by Tristan Hill <stan@saticed.me.uk>.

** libgnutls: Permit V1 Certificate Authorities properly.
Before they were mistakenly rejected even though
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied.  Reported by
"Douglas E. Engert" <deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.

** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash.  Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.

** libgnutls: Fix compile error with Sun CC.
Reported by Jeff Cai <jeff.cai@sun.com> in
<https://savannah.gnu.org/support/?106549>.

Log message:
Changes 2.6.3
* gnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
* gnutls: Fix memory leak in PSK authentication.
* certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier.
  It needs to be invoked before libgcrypt is initialized.
* gnutls-cli: Return non-zero exit code on error conditions.
* gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.

Log message:
Update to 2.6.2:

* Version 2.6.2 (released 2008-11-12)

** libgnutls: Fix crash in X.509 validation code for self-signed certificates.
The patch to fix the security problem GNUTLS-SA-2008-3 introduced a
problem for certificate chains that contained just one self-signed
certificate.  Reported by Michael Meskes <meskes@debian.org> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279>.

** API and ABI modifications:
No changes since last version.

Log message:
Update to 2.6.1:

* Version 2.6.1 (released 2008-11-10)

** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]
The flaw makes it possible for man in the middle attackers (i.e.,
active attackers) to assume any name and trick GNU TLS clients into
trusting that name.  Thanks for report and analysis from Martin von
Gagern <Martin.vGagern@gmx.net>.  [CVE-2008-4989]

Any updates with more details about this vulnerability will be added
to <http://www.gnu.org/software/gnutls/security.html>

** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits.
Reported by Kevin Quick <quick@sparq.org> in
<https://savannah.gnu.org/support/index.php?106454>.

** libgnutls-extra: Protect internal symbols with static.
Fixes problem when linking certtool statically.  Tiny patch from Aaron
Ucko <ucko@ncbi.nlm.nih.gov>.

** libgnutls-openssl: Fix patch against X509_get_issuer_name.
It incorrectly returned the subject DN instead of issuer DN in v2.6.0.
Thanks to Thomas Viehmann <tv@beamnet.de> for report.

** certtool: Print a PKCS #8 key even if it is not encrypted.

** tests: Make tests compile when using internal libtasn1.
Patch by ludo@gnu.org (Ludovic Courtès).

** API and ABI modifications:
No changes since last version.

Log message:
Add patch-ag, patch-ah, patch-ai (hi, shannonjr!).

Log message:
Three patches to permit compilation under Solaris with SunPro compiler:

patch-ag and patch-ah fix void functions that attempt to return the result
of calling a void function.

patch-ai conditionally includes <sys/inttypes.h> to pick up uint32_t

Log message:
Changes 2.6.0:
* libgnutls: Correct printing and parsing of IPv6 addresses.
* libgnutls-openssl: fix out of bounds access.
* certtool: Use inet_pton for parsing IPv6 addresses.
* Added API to replace and update the crypto backend.
* certtool: can add several subject alternative names via template file.
* opencdk: Parse (but not decrypt) encrypted secret keys.
* more...

Log message:
If strverscmp() is not present, gnutls shouldn't export a symbol of the
same name, breaking the builds of libraries trying to both link against
libcurl and use strverscmp(). Bump PKGREVISION.

Fixes PR 39640.

Log message:
update to gnutls-2.4.1

Changes:

** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2]
** libgnutls: Fix memory leaks when doing a re-handshake.
** Fix compiler warnings.
** Fix ordering of -I's to avoid opencdk.h conflict with system headers.
** srptool: Fix a problem where --verify check does not succeed.

Log message:
Require libgcrypt>=1.2.2.  Noticed by Steve Bellovin in pkgsrc-users@.
And also require opencdk>=0.6.5.