]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
projects / thirdparty / gnutls.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: 68d111e bd38362)
Merge branch 'tmp-ocsp-check' into 'master' 903-add-crl-and-crq-fuzzers 1163/head
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Thu, 9 Jan 2020 13:38:09 +0000 (13:38 +0000)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Thu, 9 Jan 2020 13:38:09 +0000 (13:38 +0000)
Provide flag to identify sessions that an OCSP response was requested

Closes #829

See merge request gnutls/gnutls!1131

1  2 
NEWS patch | diff1 | diff2 | blob | history
lib/ext/status_request.c patch | diff1 | diff2 | blob | history
lib/includes/gnutls/gnutls.h.in patch | diff1 | diff2 | blob | history

diff --cc NEWS
index 565b15455e5ae79a617cb8414f02d5bec88f236c,002e53c7d69231abd60941fbf04e594cd45fbb7c..2b4fd942108e0b99171e4edc5c237a5c36dcfb54
--- 1/NEWS
--- 2/NEWS
+++ b/NEWS
@@@ -10,41 -13,8 +13,42 @@@ See the end for copying conditions
  ** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
     with gnutls_ocsp_req_t but const.
  
 +** libgnutls: Reject certificates with invalid time fields. That is we reject
 +   certificates with invalid characters in Time fields, or invalid time formatting
 +   To continue accepting the invalid form compile with --disable-strict-der-time
 +   (#207, #870).
 +
 +** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
 +   draft-smyshlyaev-tls12-gost-suites-06).
 +   By default this ciphersuite is disabled. One has to add following items to priority strings:
 +   +VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001.
 +   Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is
 +   enabled both on a server and a client. It is recommended for now to disable
 +   TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers.
 +
 +** libgnutls: The min-verification-profile from system configuration applies
 +   for all certificate verifications, not only under TLS. The configuration can
 +   be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
 +
 +** libgnutls: Reject certificates which contain duplicate extensions. We were
 +   previously printing warnings when printing such a certificate, but that is
 +   insufficient to flag such certificates as invalid. Instead we now refuse to
 +   import them (#887).
 +
 +** libgnutls: If a CA is found in the trusted list, check in addition to
 +   time validity, whether the algorithms comply to the expected level prior
 +   to accepting it. This addresses the problem of accepting CAs which would
 +   have been marked as insecure otherwise (#877).
 +
 +** certtool: Added the --verify-profile option to set a certificate
 +   verification profile. Use '--verify-profile low' for certificate verification
 +   to apply the 'NORMAL' verification profile.
 +
 +** certtool: The add_extension template option is considered even when generating
 +   a certificate from a certificate request.
 +
  ** API and ABI modifications:
+ GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added
  gnutls_ocsp_req_const_t: Added
  
  
diff --cc lib/ext/status_request.c
Simple merge
diff --cc lib/includes/gnutls/gnutls.h.in
Simple merge
Mirror of https://gitlab.com/gnutls/gnutls.git