summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS12
1 files changed, 9 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index b4a9aa4089..cfb9108ace 100644
--- a/NEWS
+++ b/NEWS
@@ -7,9 +7,10 @@ See the end for copying conditions.
* Version 3.6.0 (unreleased)
-** libgnutls: Refuse to import certificates which have fractional seconds
- in Time fields, and X.509v1 certificates which have the unique identifiers
- set. Both sets are prohibited by RFC5280.
+** libgnutls: Introduced various sanity checks on certificate import. Refuse
+ to import certificates which have fractional seconds in Time fields, X.509v1
+ certificates which have the unique identifiers set, and certificates with illegal
+ version numbers. All of these are prohibited by RFC5280.
** libgnutls: Introduced gnutls_x509_crt_set_flags(). This function can set flags
in the crt structure. The only flag supported at the moment is
@@ -28,6 +29,11 @@ See the end for copying conditions.
behavior can be overriden by providing the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS
to verification functions. Resolves gitlab issue #177.
+** libgnutls: Refuse to generate a certificate with an illegal version, or an
+ illegal serial number. That is, gnutls_x509_crt_set_version() and
+ gnutls_x509_crt_set_serial(), will fail on input considered to be invalid
+ in RFC5280.
+
** certtool: the option '--load-ca-certificate' can now accept PKCS#11
URLs in addition to files.