Milestone started on Aug 20, 2017
GnuTLS 3.6.x bug fixes
This milestone contains the planned or non-planned updates for the 3.6.x branch.
All updates will be included in bi-monthly releases (depending on amount of fixes and severity releases may also be monthly).
Unstarted Issues (open and unassigned)
- Cert : V1 with v3 extensions; GnuTLS accepts it.
- Cert : V2 with v3 extensions; GnuTLS accepts it.
- When there are multiple defects in the same certificate, only one error warning is given.
- mingw: builds failing
- certtool should be able to just emit PEM data without textual annotations above it.
- fix macosx CI
- consider automating the .map file generation
- Add option to force EtM on servers and clients
- tlsfuzzer: add robot attack detection in the CI
- switch statements: use a consistent way to fall through
- `gnutls-cli -rehandshake` should offer client certificate only on subsequent handshake
- add DTLS fuzzer
- include session resumption in fuzzying
- Verify Ed25519 support in PKCS#7
- address IP name constraints issues found by bettertls
Completed Issues (closed)
- Service Desk (from email@example.com): Some little defects and suggestions for GnuTLS 3.6.0 certificate verification module.
- Provide an option to require encrypt-then-mac on server side
- [Docs] Update documentation on TLS hello extensions
- certtool: --ask-pass option does not work with PKCS#8 encoded private key
- "constate: simplified allocation of epochs" breaks glib-networking tests
- Infinite loop when PIN is incorrect in pkcs11_login function
- "initialization from incompatible pointer type" when building with --enable-cryptodev flag set during configure.
- when I try to compile GnuTLS 3.5.18 with cryptodev support, it fails horribly
- GnuTLS modifies multi-value RDN certificate subject before sending
- Failed to build master (missing gnutls_hkdf_expand)
- Allow applications to use different sets of credentials per vhost
- switch to nettle 3.4 API
- Integer wrap around in gnutls in the mktime_utc function
- Use of --enable-hardware-acceleration on Solaris/x86 leads to undefined symbols
- pcert API: missing function to load from file or URI
- [clang-cl] missing _xgetbv() during link
- Service Desk (from firstname.lastname@example.org): Certtool Segfaults when called with --certificate-pubkey
- gnutls_get_data_mtu() can return smaller values than passed to gnutls_set_data_mtu()
- "insecure algoritm" warning on self-signed certificates (independent of used algoritm)
- gnutls-cli should offer a way to set hostname independently of IP Address (bypassing DNS)
- document FIPS140-2 mode
- resumption: curve is not stored in the resumed data
- [Documentation issue] References in the Preface aren't links or expanded as a footnote
- remove destructive tests
- pkcs11: GNUTLS_PKCS11_FLAG_MANUAL prevents pkcs11 verification
- Fedora 26 server - wget - gnutls/p11-kit/OpenSC - pcsc-lite/pcscd - polkit
- cache ocsp status server-side for stapling
- Doc: document provable rsa keys
- p11tool: auto-login where required
- hardcoded references to libdl in build system
- gnutls-3.6.0: many self test failures on NetBSD
- gnutls_pkcs11_privkey_generate3: do not generate random CKA_ID
- Segfault when setting priorities
- GnuTLS 3.6.0 fails to build on current unstable Debian
- Session resumption fails (gnutls_handshake, error -15)
- lib/str-idna.c: Are _gnutls_idna_email_map() and _gnutls_idna_email_reverse_map() needed ?
- krb5-test fails under valgrind
- p11tool shouldn't require the --login parameter