doc: mention ClientHello extensions shuffling

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/NEWS b/NEWS
index 331c8074c8028539022eb29161e0f1a3039a309d..5f6e45a814fa4f46e689d2e94076095ae87f6d22 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,15 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
+* Version 3.8.1 (unreleased)
+
+** libgnutls: ClientHello extensions are randomized by default
+   To make fingerprinting harder, TLS extensions in ClientHello
+   messages are shuffled. As this behavior may cause compatibility
+   issue with legacy applications that do not accept the last
+   extension without payload, the behavior can be reverted with the
+   %NO_SHUFFLE_EXTENSIONS priority keyword.
+
 * Version 3.8.0 (released 2023-02-09)
 
 ** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 77727a44ec483b9875a18c7bd856c525531cc328..692cf7cde01495c86ef06df3106c309bff4d1c0c 100644 (file)
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1552,6 +1552,10 @@ that TLS 1.2 requires extensions to be used, as well as safe
 renegotiation thus this option must be used with care. When this option
 is set no versions later than TLS1.2 can be negotiated.
 
+@item %NO_SHUFFLE_EXTENSIONS @tab
+will prevent randomizing the order of ClientHello extensions. By
+default, those extensions are randomized to make fingerprinting harder.
+
 @item %NO_STATUS_REQUEST @tab
 will prevent sending of the TLS status_request extension in client side.