summaryrefslogtreecommitdiff
path: root/distfiles
diff options
context:
space:
mode:
authorwiz <wiz@pkgsrc.org>2018-08-16 11:05:47 +0000
committerwiz <wiz@pkgsrc.org>2018-08-16 11:05:47 +0000
commit6e4108a7f3c198ce9f3dfb806e19479111b1293f (patch)
tree72bb45b710c50751d3c7d7d960a3c8b2bbaae9d7 /distfiles
parent7ab22f91c6a6039d892a04103e016890a6954435 (diff)
downloadpkgsrc-6e4108a7f3c198ce9f3dfb806e19479111b1293f.tar.gz
gnutls: update to 3.6.3.
* Version 3.6.3 (released 2018-07-16) ** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version negotiation, post handshake authentication, length hiding, multiple OCSP support, consistent ciphersuite support across protocols, hello retry requests, ability to adjust key shares via gnutls_init() flags, certificate authorities extension, and key usage limits. TLS1.3 draft-28 support can be enabled by default if the option --enable-tls13-support is given to configure script. ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority strings, then TLS 1.3 negotiation will be disabled if the session is associated only with an anonymous credentials structure. ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836. This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12, and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA 256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357), and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836). ** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default priority strings, as they are undefined under TLS1.3 and they provide not advantage over other options in earlier protocols. ** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled by specifying --enable-ssl3-support on configure script. ** libgnutls: Introduced function to switch the current FIPS140-2 operational mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2 operations. ** libgnutls: Introduced low-level function to assist applications attempting client hello extension parsing, prior to GnuTLS' parsing of the message. ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no modifications to the certificate. That prevents DER re-encoding issues with incorrectly encoded certificates, or other DER incompatibilities to affect a TLS session. Relates with #403 ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups which are preferred by the server. That unfortunately has complicated semantics as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering, which could make group order unpredictable if TLS1.3 is negotiated. ** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen and Adi Shamir reported that the existing counter-measures had certain issues and were insufficient when the attacker has additional access to the CPU cache and performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium] ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation of legacy CBC ciphersuites unless encrypt-then-mac is negotiated. ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag. ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2, gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API change for these functions which make them err towards safety. ** libgnutls: improved aarch64 cpu features detection by using getauxval(). ** certtool: It is now possible to specify certificate and serial CRL numbers greater than 2**63-2 as a hex-encoded string both when prompted and in a template file. Default certificate serial numbers are now fully random. Default CRL numbers include more random bits and are larger than in previous GnuTLS versions. Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually if you intend to later downgrade to previous versions as it was not possible to specify large CRL numbers in previous versions of certtool.
Diffstat (limited to 'distfiles')
0 files changed, 0 insertions, 0 deletions