** libgnutls: DSA signatures and DHE-DSS are no longer included in the
default priorities list. They have to be explicitly enabled, e.g., with
-a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". This
-string will be needed when using the OpenPGP ciphersuites.
+a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
+DSA ciphersuites were dropped because they had no deployment at all
+on the internet, to justify their inclusion.
** libgnutls: Added API to utilize system specific private keys in
"gnutls/system-keys.h". It is currently provided as technology preview
RFC6125 comparison of hostnames. That introduces a dependency on libidn.
** libgnutls: Added support for encrypt-then-authenticate in CBC
-** ciphersuites (RFC7366 -taking into account its errata text). This
-is enabled by default and can be disabled using the %NO_ETM priority
+ciphersuites (RFC7366 -taking into account its errata text). This is
+enabled by default and can be disabled using the %NO_ETM priority
string.
** libgnutls: Depend on p11-kit 0.23.1 to comply with the final
-PKCS #11 URL draft (draft-pechanec-pkcs11uri-21).
+PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21).
** libgnutls: Use getrandom() or getentropy() when available. That
-avoids the complexity of file descriptor handling and the issues with
-applications closing all open file descriptors.
+avoids the complexity of file descriptor handling and issues with
+applications closing all open file descriptors on startup.
-** libgnutls: Use pthread_atfork() to detect fork.
+** libgnutls: Use pthread_atfork() to detect fork when available.
** libgnutls: Added support for the extended master secret
(triple-handshake fix) following draft-ietf-tls-session-hash-02.
draft-mavrogiannopoulos-chacha-tls-04 and draft-irtf-cfrg-chacha20-poly1305-10.
That is currently provided as technology preview and is not enabled by
default, since there are no assigned ciphersuite points by IETF and there
-is no guarrantee of compatibility between draft versions.
+is no guarrantee of compatibility between draft versions. The ciphersuite
+priority string to enable it is "+CHACHA20-POLY1305".
** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
was already defunc as support for the EXPORT ciphersuites was removed in
GnuTLS 3.2.0.
-** libgnutls: When printing a certificate request print the signature
-algorithm as well.
-
** libgnutls: If a key purpose (extended key usage) is specified for verification,
it is applied into intermediate certificates. The verification result
GNUTLS_CERT_PURPOSE_MISMATCH is also introduced.