summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2017-03-03 09:31:37 +0100
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2017-03-03 09:33:32 +0100
commit8cd72dedb4650d4bca551450551f327b03780b10 (patch)
treecff6ac64f21ac4128e2780b6c4d399c6d61e6bcc /NEWS
parent4b3ca668727a7c4cbd8ad807e693d682446e37f8 (diff)
downloadgnutls-8cd72dedb4650d4bca551450551f327b03780b10.tar.gz
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS12
1 files changed, 9 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index b4a9aa4089..cfb9108ace 100644
--- a/NEWS
+++ b/NEWS
@@ -7,9 +7,10 @@ See the end for copying conditions.
* Version 3.6.0 (unreleased)
-** libgnutls: Refuse to import certificates which have fractional seconds
- in Time fields, and X.509v1 certificates which have the unique identifiers
- set. Both sets are prohibited by RFC5280.
+** libgnutls: Introduced various sanity checks on certificate import. Refuse
+ to import certificates which have fractional seconds in Time fields, X.509v1
+ certificates which have the unique identifiers set, and certificates with illegal
+ version numbers. All of these are prohibited by RFC5280.
** libgnutls: Introduced gnutls_x509_crt_set_flags(). This function can set flags
in the crt structure. The only flag supported at the moment is
@@ -28,6 +29,11 @@ See the end for copying conditions.
behavior can be overriden by providing the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS
to verification functions. Resolves gitlab issue #177.
+** libgnutls: Refuse to generate a certificate with an illegal version, or an
+ illegal serial number. That is, gnutls_x509_crt_set_version() and
+ gnutls_x509_crt_set_serial(), will fail on input considered to be invalid
+ in RFC5280.
+
** certtool: the option '--load-ca-certificate' can now accept PKCS#11
URLs in addition to files.