* Version 3.2.18 (released 2014-09-18) ** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle strings with embedded spaces and escaped commas. ** libgnutls: Corrected gnutls_x509_crl_verify() which would always report a CRL signature as invalid. Reported by Armin Burgmeier. ** libgnutls: Fixed issue with certificates being sanitized by gnutls prior to signature verification. That resulted to certain non-DER compliant modifications of valid certificates, being corrected by libtasn1's parser and restructured as the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from Codenomicon. ** API and ABI modifications: No changes since last version. * Version 3.3.8 (released 2014-09-18) ** libgnutls: Updates in the name constraints checks. No name constraints will be checked for intermediate certificates. As our support for name constraints is limited to e-mail addresses in DNS names, it is pointless to check them on intermediate certificates. ** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple object listing would fail completely if a single object could not be exported. ** libgnutls: Improved the performance of PKCS #11 object listing/retrieving, by retrieving them in large batches. Report and suggestion by David Woodhouse. ** libgnutls: Fixed issue with certificates being sanitized by gnutls prior to signature verification. That resulted to certain non-DER compliant modifications of valid certificates, being corrected by libtasn1's parser and restructured as the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from Codenomicon. ** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle strings with embedded spaces and escaped commas. ** libgnutls: when comparing a CA certificate with the trusted list compare the name and key only instead of the whole certificate. That is to handle cases where a CA certificate was superceded by a different one with the same name and the same key. ** libgnutls: when verifying a certificate against a p11-kit trusted module, use the attached extensions in the module to override the CA's extensions (that requires p11-kit 0.20.7). ** libgnutls: In DTLS prevent sending zero-size fragments in certain cases of MTU split. Reported by Manuel Pégourié-Gonnard. ** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows verifying using a hostname and a purpose (extended key usage). That enhances PKCS #11 trust module verification, as it can now check the purpose when this function is used. ** libgnutls: Corrected gnutls_x509_crl_verify() which would always report a CRL signature as invalid. Reported by Armin Burgmeier. ** libgnutls: added option --disable-padlock to allow disabling the padlock CPU acceleration. ** p11tool: when listing tokens, list their type as well. ** p11tool: when listing objects from a trust module print any attached extensions on certificates. ** API and ABI modifications: gnutls_x509_crq_get_extension_by_oid2: Added gnutls_x509_crt_get_extension_by_oid2: Added gnutls_x509_trust_list_verify_crt2: Added gnutls_x509_ext_print: Added gnutls_x509_ext_deinit: Added gnutls_x509_othername_to_virtual: Added gnutls_pkcs11_obj_get_exts: Added
thanks! added.