openssl: explicitly NULL initialize PKCS8_PRIV_KEY_INFO

[platform/upstream/glib-networking.git] / NEWS

2.72.alpha - January 6, 2022
============================

 - OpenSSL: fix unsafe error handling (!187, Patrick Griffis)
 - Correctly load libsoup DLL on Windows (!190, Chun-wei Fan)
 - OpenSSL: use system trust on Windows (!192, Francesco Conti)
 - GnuTLS: fix TLS 1.3 ciphersuite names, should use underscores (!194)
 - OpenSSL: fail when appropriate if Must-Staple extension is set (!197)
 - Improve failure of tls-unique channel binding requests (!198, Ruslan Marchenko)
 - Do not fill SNI extension with IP address (!200, Matteo Biggio)

2.70.1 - December 6, 2021
=========================

 - Fix crashes when handshake is cancelled (#97, #176)
 - OpenSSL: fix spurious certificate expired verification errors (#179)
 - GnuTLS: Fix tests on 32-bit systems (!188, Simon McVittie)
 - GnuTLS: Fix crash when invalid priority string is forced (!189)

2.70.0 - September 16, 2021
===========================

 - Updated translations

2.70.rc - September 3, 2021
===========================

 - gnutls: revert AuthorityInformationAccess implementation for now (#160)
 - gnutls: fix use of non-default GTlsDatabases, Geary crash on startup (#169)
 - openssl: remove openssl-util (!181)
 - gnutls: fix leak in g_tls_certificate_gnutls_copy (!182, Patrick Griffis)
 - gnutls: Unbreak GTLS_GNUTLS_CHECK_VERSION (!185)

2.70.beta - August 12, 2021
===========================

 - gnutls: Ensure that PKCS #11 pins are NUL terminated (!178, Patrick Griffis)
 - openssl: Restore OCSP support (!179, !180, Patrick Griffis)

2.70.alpha - July 2, 2021
=========================

- Fix TLS channel bindings tests (#164)
- Require OpenSSL 1.0.2 (#166)
- Fix threadsafety issue in certificate verification (!148)
- dlopen libsoup for performing HTTP requests (!149, Patrick Griffis)
- Implement new get_negotiated_protocol vfunc (!150)
- Implement new protocol version and ciphersuite name accessors (!151)
- OpenSSL: use system keychain on macOS (!154)
- OpenSSL: add DTLS support, plus many related improvements (!155, Ole André Vadla Ravnås)
- Implement new GTlsCertificate details APIs (!156, !165, Ross Wollman)
- GnuTLS: improve error handling for PIN failures (!158, Patrick Griffis)
- GnuTLS: expose PIN type on PIN requests (!159, Patrick Griffis)
- GnuTLS: check cancellable in pull timeout callback (!160)
- Add support for Android (!162, Ole André Vadla Ravnås)
- Improve automation of test certificate creation (!167, !168, !169, Patrick Griffis)
- GnuTLS: use GnuTLS to implement all channel bindings (!172)
- GnuTLS: rework certificate verification to use TLS session (!173)
- GnuTLS: improve peer identity verification (!176)
- Bring back automatic downloading of missing intermediate certificates (not fixed, may go away again)

2.68.1 - April 22, 2021
=======================

 - Fix threadsafety issue in certificate verification (!148)
 - Temporarily remove support for downloading missing intermediate certificates with GnuTLS 3.7 (#160)

2.68.0 - March 19, 2021
=======================

 - Fix double free in GnuTLS client certificate request code (!147)

2.68.rc - March 12, 2021
========================

 - Improve heuristic for returning G_TLS_ERROR_CERTIFICATE_REQUIRED
 - Fix check for certain handshake failure conditions

2.68.alpha - January 7, 2021
============================

 - Download and validate missing intermediate certificates (requires GnuTLS 3.7) (#96)
 - OpenSSL backend now uses system crypto policy (#106)
 - Remove use of g_assert in testsuite (#137)
 - Restore support for old versions of OpenSSL (#156)
 - Implement TLS channel bindings API (!139, Ruslan Marchenko)
 - Implement PKCS#11 API (!140, Patrick Griffis)
 - Update testsuite for Fedora 33 crypto policy (!141)
 - Fix NULL dereference in g_tls_connection_base_read_message (!144, Vladimir D. Seleznev)
 - Fix a couple code issues found by Coverity

2.66.0 - September 11, 2020
===========================

- Updated translations

2.65.90 - August 6, 2020
========================

 - Many fixes to OpenSSL backend (!128, Ruslan Marchenko)

2.65.1 - July 2, 2020
=====================

 - Fix peer-certificate[-errors] props set too soon (#127)
 - Implement ALPN for OpenSSL backend (!126, Ruslan Marchenko)
 - Fix Windows build (!127, Cun-wei Fan)

2.64.3 - May 28, 2020
=====================

- Revert warning when server-identity property is unset (#130)
- Fix CVE-2020-13645, fail connections when server identity is unset (#135)

2.64.2 - April 14, 2020
=======================

- Reenable TLS 1.0/1.1 protocols due to COVID-19.
- Fix build warning on Windows.

2.64.1 - March 27, 2020
=======================

- Warn when server-identity property is missing (#130)
- Fix crashes in debug logs (#131)
- Fix write loop in OpenSSL backend (!117)

2.64.0 - March 6, 2020
======================

- Fix OpenSSL backend on RHEL 6 (!116)

2.63.92 - February 27, 2020
===========================

- Revert fix for #127, which broke libsoup (#129)

2.63.91 - February 14, 2020
===========================

- Fix peer-certificate properties changing too soon (#127)
- GnuTLS backend: reduce session resumption cache lifetime (!113)
- GnuTLS backend: restore TLS 1.2 support for copy session state (!114)

2.63.90 - February 1, 2020
==========================

- Remove PKCS#11 support, deferred until next cycle (#104)
- Remove OpenSSL backend's OCSP support (#124)

2.63.3 - January 3, 2019
========================

- Fix OpenSSL backend regressions and reenable OpenSSL testsuite (#54)
- Temporarily disable cancellation of sync handshakes (#97)
- Disable flaky test (#104) and resolve testsuite flakiness (#105)
- Fix leak of base iostream (or base datagram socket), 2.62 regression
- Fix duplicate notifies of peer-certificate and peer-certificate-errors
- Fix regression where GnuTLS connection init could theoretically fail without error
- Fix obscure corner case where SNI might not work
- Fix various build warnings on Windows
- Fix multiple build failures on Windows (Chun-wei Fan)
- Fix installed tests (Iain Lane)

2.63.2 - November 22, 2019
==========================

- Fix crash when handshake context is reset too late (#97)
- Require GnuTLS 3.6.5 (#100)
- Build mock PKCS #11 module only for GnuTLS backend (#101)
- Rework session resumption support for TLS 1.3 (!69)
- Run GnuTLS tests under TLS 1.2 in addition to TLS 1.3 (!69)
- Support OpenSSL 1.0.1 (!81)
- Drop rehandshake mode and protocol version fallback support (!83)
- Add logging functions (!89, MARTINSONS Frederic)
- Fix PKCS #11 tests with TLS 1.2 (!91, Patrick Griffis)
- Add more debug logging for PKCS #11 (!92, Patrick Griffis)
- Fix leak in GTlsCertificateGnutls finalizer (!93, Patrick Griffis)

2.63.1 - October 11, 2019
=========================

- Add support for new PKCS#11 APIs to facilitate use with smartcards (Patrick Griffis)
- Disable TLS 1.0 and TLS 1.1 when using GnuTLS
- Fix threadsafety issue (#95)

2.62.1 - October 4, 2019
========================

- Fix two memory leaks (!71, !72, Claudio Saavedra)

2.62.0 - September 7, 2019
==========================

- Revert broken queued data fix for #15

2.61.92 - September 2, 2019
===========================

- Discard queued data after interrupted writes (#15)
- Verify socket timeouts are respected (#18)
- Fix a couple broken error messages

2.61.90 - August 5, 2019
========================

- Fix translations of certain error messages

2.61.2 - July 22, 2019
======================

- Improve certain handshake error messages (#13)
- Fix regressions introduced in 2.61.1 (#91, #92)

2.61.1 - June 9, 2019
=====================

This release contains a major refactoring of the TLS codebase. The GnuTLS
backend now shares the same base classes as the OpenSSL backend, to avoid
duplicating as much code as possible. The base classes, previously used only by
the OpenSSL backend and originally forked from glib-networking several years
ago, have been enhanced to achieve feature-parity with the current state of the
GnuTLS backend.

Please note that the OpenSSL backend remains experimental. Further planned work
is required before this backend will be production-ready.

2.60.3 - June 9, 2019
=====================

- Fix clobbering of the thread-default main context after certificate
  verification failure during async handshakes since 2.60.1 (#85)
- Fix GTlsDatabase initialization failures in OpenSSL backend due to
  uninitialized memory use
- Fix minor leak of ALPN protocols

2.60.2 - May 2, 2019
====================

- OpenSSL backend now defaults to system trust store (#62)
- Fix client auth failure error with GnuTLS 3.6.7 (#70)

2.60.1 - April 1, 2019
======================

- Improve reliability of client auth failure tests (#66)
- Fix excessive CPU usage after sync handshake (#69)

2.60.0.1 - March 12, 2019
=========================

- Fix build with OpenSSL pkg-config unavailable (Nirbheek Chauhan)

2.60.0 - March 11, 2019
=======================

This is the first stable release featuring the new OpenSSL backend. Please be
advised that this new backend is still experimental and known to not work on
some systems, including Debian. Linux distributions are encouraged to stick to
the default build options, where OpenSSL is not yet enabled.

- Fix build with GnuTLS disabled (Nirbheek Chauhan)
- Fix build on Windows (Chun-Wei Fan)

2.59.92 - March 4, 2019
=======================

- Many OpenSSL backend fixes for Windows (Nirbheek Chauhan)
- GnuTLS: reject sync operations during handshake to avoid deadlocks (#46)
- Temporarily disable DTLS and OpenSSL tests due to #49 and #54

2.59.91 - February 18, 2019
===========================

- Update OpenSSL SSL struct when certificate is changed (#55, Fredrik Ternerot)
- Fix tests build when GnuTLS is disabled (#59)
- Remove Fedora-specific PROFILE=SYSTEM default cipher list (#61)
- Fix some problems with the connection tests (Fredrik Ternerot)

2.59.90 - February 4, 2019
==========================

This release adds an OpenSSL backend, obsoleting the glib-openssl project.
Credit to all the contributors to the glib-openssl project, especially
Ignacio Casal Quinteiro. Also thanks to Xavier Claessens for helping with the
transition.

The OpenSSL backend seems to be mature, though it is less well-tested for
desktop usage than the GnuTLS backend. It will remain disabled by default at
build time due to the GPL-incompatible nature of the OpenSSL license -- and the
GPLv2-incompatible nature of the Apache license that will be used by future
versions of OpenSSL -- and because the GnuTLS backend is sufficient for Linux
distros.

Use the OpenSSL backend if you are building an embedded system where
(GPLv2+ or LGPLv3+) dependencies are unacceptable (e.g. nettle or GMP, both
dependencies of GnuTLS) and you are OK with the GPL-incompatible OpenSSL
license. If the OpenSSL backend is enabled at build time, you should probably
disable build of the GnuTLS backend, or it will take precedence over the OpenSSL
backend at runtime. For example, you could configure with:

$ mkdir build && cd build
$ meson -Dgnutls=disabled -Dopenssl=enabled ..

2.59.2 - January 7, 2019
========================

 - Add support for application layer protocol negotiation (#47, Scott Hutton)

2.59.1 - November 11, 2018
==========================

This release removes the gnutls-pkcs11 backend, which was disabled in 2.57.2,
due to lack of any feedback whatsoever regarding its disablement. If you think
it is still useful to you, given that the normal gnutls backend now supports
PKCS#11, speak up now.

This release also includes several changes to properly support TLS 1.3.

Other changes:

 - Perform certificate verification during, not after, TLS handshake
 - Dramatically improve the reliability of the non-DTLS tests. (DTLS is still having problems.)
 - Regenerate test certificates to prepare for OpenSSL support
 - Several meson build system improvements to prepare for OpenSSL support

2.58.0 - September 2, 2018
==========================

 - Updated translations

2.57.92 - August 27, 2018
=========================

 - Revert fixes for #4 and #6 due to regression (#43)
 - Fix installed tests (Sébastien Bacher, !7)

2.57.90 - August 12, 2018
=========================

 - Properly check for server errors in connection tests (#4)
 - Perform certificate verification during, not after, TLS handshake (#6)
 - Avoid trailing dots in SNI hostnames (#11)
 - Send fallback SCSV with fallback connection attempts
 - Fail unsafe rehandshake attempts initiated by API request

2.57.3 - July 16, 2018
======================

- Fix memory leaks when calling g_tls_connection_gnutls_get_certificate()
- Use .so for modules on macOS instead of dylib (Nirbheek Chauhan)
- Fix build with MSVCC (Nirbheek Chauhan)

2.57.2 - May 21, 2018
=====================

This release disables build of the gnutls-pkcs11 backend by default. Please
direct any complaints to https://gitlab.gnome.org/GNOME/glib-networking/issues/7

- Several meson build system improvements
  (#794978, #795043, and #795982, Xavier Claessens and Nirbheek Chauhan)

2.57.1 - April 16, 2018
=======================

- Use GnuTLS system trust and remove build option to specify cert bundle (#753260)
- Fix criticals when child streams outlast the parent GTlsConnection (#792219)
- Fix crash when setting client cert without private key (#793712)
- Update tests for compatibility with GnuTLS 3.6.2 (#794286)
- Never install GIO modules outside build prefix (#794358)
- Don't install test files if installed tests are disabled (#794372)
- Fix build with -Dpkcs11=false (#794292, Tom Schoonjans)
- Allow building as meson subproject (#794709, Mathieu Duponchelle)

- g_tls_certificate_verify() no longer manually verifies certificate
  activation/expiration time, matching the current behavior of
  g_tls_database_verify_chain().

2.56.0 - March 20, 2018
=======================

- Updated translations

2.55.90 - February 12, 2018
===========================

- Fix unit tests when SSLv3 is unavailable (#782853)
- Allow static linking (#791100, Xavier Claessens)
- Fix issues found by coverity (#792402, Philip Withnall)
- Remove TLS build option; it is now mandatory
- Try to ensure that GnuTLS is only initialized if TLS is actually used
- Update use of GObject to follow current best practices
- Use XDG_CURRENT_DESKTOP to determine which proxy module to load

2.55.2 - December 13, 2017
==========================

 * Fix glib-pacrunner.service installation directory
   [#790367, Michael Catanzaro]

 * Updated translations: Hebrew, Indonesian, Spanish

2.55.1 - November 13, 2017
==========================

 * Implement DTLS support [#697908, Philip Withnall and Olivier Crête]

 * Fix using different client certs for different connections
   [#781578, Martin Pitt]

 * Port to Meson build system [#786639, Iñigo Martínez]

 * Updated translations: Catalan (Valencian), Croatian, Czech, German,
   Greek, Norwegian bokmål, Persian, Slovenian

2.54.0
======
  * New/updated translations: Basque, Belarusian, Brazilian
    Portuguese, Bulgarian, Catalan, Chinese (Taiwan), Danish, Danish,
    Dutch, French, Galician, Hungarian, Italian, Korean, Latvian,
    Lithuanian, Malayalam, Nepali, Polish, Serbian, Slovak, Swedish,
    Turkish

2.53.90
=======
  * gnutls: Stop using %LATEST_RECORD_VERSION in priority string,
    since that gives better compatibility with current gnutls /
    current real world. [#782218, Michael Catanzaro]

  * gnutls: Provide a better error message when a TLS alert is
    received. [#782218, Michael Catanzaro]

  * New/updated translations: Croatian, Czech, Esperanto, Friulian,
    German, Indonesian, Italian, Kazakh, Slovenian, Spanish

2.50.0
======
  * New stable release.

  * Updated translations: British English, Polish

2.49.90
=======
  * Ported to use upstream gettext rather than intltool/glib-gettext
    [#768708, Javier Jardón]

  * Updated po files for future gettext versions [Piotr Drąg]

  * Fixed translation lookup on Windows [#765466, Chun-wei Fan]

  * Updated translations: Occitan

2.48.2
======
  * gnutls: Fixed an infinite loop if a server sent two identical
    copies of its CA certificate [#765317, Carlos Garcia Campos]

  * New/updated translations: Occitan, Scottish Gaelic

2.48.1
======
  * Fixed translations in non-UTF-8 domains [#765466, Ting-Wei Lan]

  * Fixed bash-ism in configure [#765396, Patrick Welche]

  * Updated translations: Friulian

2.48.0
======
  * New stable release. (No changes since 2.47.90)

2.47.90
=======
  * gnutls: The non-PKCS#11 TLS plugin now uses gnutls's certificate
    validation code directly, rather than attempting to build a
    certificate chain itself first. [#753260 and others, Dan Winship]

  * gnutls: Fixed a leak when closing a connection during an implicit
    handshake [#736809, Philip Withnall]

  * gnutls: Fixed "make check" without PKCS#11 support [#728977,
    Gilles Dartiguelongue]

  * gnutls: Various changes in preparation for DTLS support (but not
    the actual DTLS support itself) [#697908, #735754, Philip
    Withnall, Olivier Crête]

  * Updated translations: Occitan

2.47.1
======
  * Fixed a certificate chain validation problem that affected
    Facebook in Epiphany. [#750457, Carlos Garcia Campos]

  * Added a systemd service file for glib-pacrunner [#755740, Simon
    McVittie]

2.46.0
======
  * Various minor cleanups and small memory leak fixes

  * Added a new test case for client certificate chain handling
    [#754129, Michael Catanzaro]

  * New/updated translations:
    Japanese, Occitan, Portuguese

2.45.1
======
  * tls/gnutls: Implement g_tls_client_connection_copy_session_state(),
    to allow implementing FTP-over-TLS in gvfs. (#745255, Ross
    Lagerwall)

2.44.0
======
  * New stable release. (No changes since 2.43.92)

2.43.92
=======
  * Fix TLS session caching when using session tickets (#745099, Ross
    Lagerwall)

  * Updated translations:
        Bosnian

2.43.91
=======
  * tls/gnutls: Removed a workaround for connecting to servers with
    weak DH parameters, which was apparently only needed because
    gnutls was prioritizing DHE over RSA. (Michael Catanzaro)
    (https://bugzilla.redhat.com/show_bug.cgi?id=1177964#c8)

  * tls/gnutls: We now require gnutls 3.x again. (In fact, 2.42.1
    and 2.43.1 accidentally used a 3.x-only function, so we already
    required it, we were just failing to declare that fact.)

  * tls/tests: Skip certain tests when running against old gnutls or
    GLib releases. (glib-networking 2.43.91 itself does not require
    GLib 2.43, but one of the test cases does.)

  * Updated translations:
        Friulian

2.43.1
======

  * The GTlsClientConnection "use-ssl3" property now falls back to TLS
    1.0 if SSL 3.0 has been disabled, rather than just failing. Also,
    we now use the gnutls %LATEST_RECORD_VERSION option by default (to
    allow connecting to certain servers that were incorrectly patched
    for the POODLE attack), but also make sure to remove that option
    in the fallback ("use-ssl3") mode (to allow connecting to other
    servers that are differently broken). (#738633, #740087, Dan
    Winship)

  * tls/gnutls: Miscellaneous warning, debugging, and leak fixes
    (#736757, #736809, #737106, Philip Withnall)

  * New/updated translations:
        Kazakh

2.42.0
======
  * New stable release. (No changes since 2.41.92)

2.41.92
=======
  * tls/gnutls: Incorrectly-ordered certificate chains are now
    accepted (#683266, Michael Catanzaro)

  * tls/gnutls: Closing an already-closed GTlsConnection now correctly
    returns TRUE rather than G_IO_ERROR_CLOSED (#735754, Olivier
    Crête)

2.41.4
======
  * tls/gnutls: certificates with IP address subject altnames are now
    supported (#726596, Aleix Conchillo Flaqué)

  * tls/tests: added a script to re-generate the certificates, and
    regenerated them (since the key for the existing CA certificate
    had been lost, so it wasn't possible to add new test certificates,
    eg, for IP SAN). (#733365, Aleix Conchillo Flaqué)

  * Updated translations:
        Greek

2.41.3
======
  * tls/gnutls: g_tls_backend_get_default_database() should never
    return %NULL; if glib-networking was built without a
    ca-certificates file, then the default GTlsDatabase should just be
    empty. (#727282, Olivier Crête)

  * tls/gnutls: If a server's certificate includes an issuer chain, we
    now send the entire chain to the client. (#724708, Aleix Conchillo
    Flaqué)

  * Updated translations:
        Swedish

2.40.0
======
  * New stable release. (No changes since 2.39.90)

2.39.90
=======
  * tls/gnutls: Avoid trying to update a destroyed GSource (#723774,
    Philip Withnall)

  * tls/tests: Fix another flaky test (#722336)

  * tests: use the TAP driver

  * Updated translations:
        Chinese, Czech

2.39.3
======
  * tls/tests: Fix one sporadic bug in the connection test (#720081)
    and make it properly fail rather than hanging forever when another
    sporadic bug happens (which I don't actually know the cause of)
    (#719727)

  * tls/gnutls: Fix for -Werror=format-nonliteral (#720081, Ryan
    Lortie)

2.39.1
======
  * tls/gnutls: Use g_tls_interaction_invoke_request_certificate()
    when processing a certificate request. (#637257, Stef Walter)

  * tls/gnutls: Handle G_IO_ERROR_TIMED_OUT on a GTlsConnection
    correctly rather than reporting "The specified session has
    been invalidated for some reason". (#710700, Aleix Concillo
    Flaque)

  * tls/tests: Fix to previous installed-tests fix, which resulted
    in some files getting installed even when installed tests weren't
    enabled. (#710197)

  * tls/tests: add a test for a fix made in glib (#710691, Aleix
    Conchillo Flaque).

2.38.1
======
  * glibpacrunner: Don't crash if there is an internal libproxy error.
    (rhbz #866927)

  * tls/tests: Fix installed tests to not accidentally depend on
    having the source tree still exist. (#709628)

  * Updated translations:
        Tajik

2.38.0
======
  * New stable release. (No changes since 2.37.5)

2.37.5
======
  * gnutls: minimum version is now 2.12.8 (with 3.x preferred...)

  * glib-networking now supports the --enable-installed-tests flag, to
    install its test programs to run at other times (ie, after
    updating glib)

2.37.4
======
  * proxy/gnome: further improve GNOME session detection (#701377)

  * gnutls: don't crash if $G_TLS_GNUTS_PRIORITY is invalid (#701693)

2.37.2
======
  * proxy/gnome: Improve session-type detection to include
    gnome-classic and anything else starting with "gnome" (#700607,
    Giovanni Campagna)

  * proxy/libproxy: make SOCKS work when using the async API (#699359,
    Dan)

  * proxy/tests: make the libproxy test program use the just-built
    plugin rather than the installed one. Oops (#700286, Iain Lane)

  * proxy/tests: fix to not error out if neither proxy module is built
    (#700628, Dan)

  * tls/tests: fix a sporadic crash (Dan)

2.37.1
======
  * gnutls: Fixed a bug that could cause hangs and/or bursts of CPU
    usage in some cases. (#696881, Olivier Crête)

  * gnutls: Fixed CFLAGS when building with gnutls in a different
    prefix. (#696519, Emmanuel Pacaud)

  * gnutls: Fixed a hang while rehandshaking with gnutls 3.x (#695062,
    Dan)

  * gnutls: Fixed a handshaking crash in multithreaded use (#697754,
    Olivier Crête)

  * proxy/gnome: Fix "automatic" mode, which was mistakenly being
    treated as "none" (Dan)

  * proxy/gnome: Use this in Unity sessions as well as GNOME ones.
    (#698936, Iain Lane)

  * New/Updated translations:
        Friulian, Indonesian, Turkish

2.36.0
=======
  * New/Updated translations:
        Assamese, Basque, Belarusian, Catalan (Valencian), Catalan,
        Danish, Finnish, Hindi, Korean, Latvian, Persian, Portuguese,
        Russian, Slovak, Tadjik, Thai

2.35.9
======
  * Fixed one kind of handshake failure to return the correct error
    code under gnutls 3.x (allowing libsoup to recognize the error and
    do fallback to SSL 3.0). (#694812)

  * Updated translations:
        Chinese (traditional), French, German, Punjabi, Uyghur,
        Vietnamese

2.35.8
======
  * proxy/gnome: ported to new GSimpleProxyResolver, and added more
    tests

  * gnutls: Fixed a small per-connection leak (#693718)

  * tls/tests: Fixed several race conditions that caused spurious
    failures. (#693720)

  * Updated translations:
        Malayalam

2.35.6
======
  * proxy/gnome: Fixed several bugs:

        * Multithreaded usage could result in crashes

        * In "automatic" mode, synchronous lookups would obey
          ignore-hosts, but asynchronous lookups would not. (Now they
          both do.)

        * lookup_async() would never notice if the proxy settings
          switched from "automatic" to "manual" or "none" (and would
          make a synchronous D-Bus call when switching in the other
          direction).

        * If given an invalid URI, lookup_async() would return a
          successful result (and leak the GError that it was supposed
          to have returned), and lookup() would return both the error
          and the proxy (leaking one or the other, depending on how
          the caller behaved).

  * Updated translations:
        Italian, Malayalam, Norwegian bokmål, Serbian, Uyghur

2.35.4
======
  * proxy/gnome: The tests should now work correctly even if
    run from a non-GNOME environment. (Robert Ancell)

  * Updated translations:
        Brazilian Portuguese, Bulgarian, Estonian, Galician, Greek,
        Hungarian, Slovenian

2.35.3
======
  * build: The TLS tests are now not built if you are building without
    gnutls support. (Saleem Abdulrasool)

  * gnutls: Several handshaking fixes:

        * Fix a hang when doing a synchronous close() immediately
          after cancelling an asynchronous handshake() (which would
          happen in libsoup if you cancelled a message at the right
          time). (#688751, Dan)

        * Avoid an assertion when an implicit handshake fails
          (#689274, Stef)

        * Fixed GTlsServerConnection:authentication-mode to work
          again, and added a regression test for this. (#689259, Stef)

        * Return the appropriate error
          (G_TLS_ERROR_CERTIFICATE_REQUIRED) when a handshake fails
          because the server required a certificate but none was
          provided, and added a test for this. (#689260, Stef)

        * Make g_io_stream_close() finish successfully after a failed
          handshake (#689260, Stef)

        * Make g_io_stream_close() finish successfully before a
          handshake (#689271, Stef)

  * gnutls: Updated to be aware of G_IO_ERROR_BROKEN_PIPE in glib
    2.35.3, which needs to be converted to G_TLS_ERROR_NOT_TLS in some
    cases. (Previously this error showed up as just G_IO_ERROR_FAILED.)
    (Dan)

  * proxy/gnome: This is now only used in GNOME login sessions (as,
    essentially, a more efficient version of the libproxy GNOME
    backend); in non-GNOME sessions, gio will now fall back to the
    libproxy plugin, allowing environment variables or other libproxy
    settings backends to be used.

  * New/Updated translations:
        Czech, Hebrew, Lithuanian, Polish, Slovak, Spanish

2.35.1
======
  * Update for glib 2.35.1; remove g_type_init() calls and port to
    GTask.

  * Updated translations:
        Estonian

2.34.0
======
  * Updated translations:
        Arabic, Bulgarian, Catalan (Valencian), Catalan, Chinese
        (Simplified), Hindi, Japanese, Thai

2.33.14
=======
  * Updated translations:
        Brazilian Portuguese, British English, Czech, Danish, Finnish,
        French, German, Korean, Punjabi

2.33.12
=======
  * gnutls: Revert the addition of the certificate-bytes and
    private-key-bytes properties to GTlsCertificateGnutls, since they
    were reverted in glib. (#682081, Stef)

  * Updated translations:
        Belarusian, Hungarian, Indonesian, Italian, Latvian, Polish,
        Polish, Vietnamese

2.33.10
=======
  * gnutls: Improved the certificate verifying code to deal with the
    case of a CA being reissued with the same key but a different
    signature algorithm. (#681299, Stef)

  * gnutls: Fixed an uninitialized variable in
    g_tls_connection_gnutls_close(). (#681636)

  * Updated translations:
        Assamese, Portuguese, Telugu

2.33.8
======
  * gnutls: If a GTlsConnection gets an error when handshaking, it
    will now continue to return that error message on future I/O
    attempts, rather than behaving in an undefined manner.

  * gnutls: You can now read from a GTlsConnection's input stream and
    write to its output stream at the same time (either in different
    threads, or asynchronously in a single thread). (#660252)

  * Updated translations:
        Chinese (traditional), Galician, Greek, Hebrew, Lithuanian,
        Norwegian bokmål, Russian, Serbian, Slovenian, Spanish

2.33.3
======
  * Updated autogen.sh (in particular to support automake 1.12)
    (#675261)

  * gnutls: fix the use-system-certdb property on GTlsConnectionGnutls
    (previously, setting it to FALSE was a no-op).

  * Updated translations:
        Dutch, Greek, Indonesian

2.33.2
======
  * gnutls: simplify using new glib pollable stream methods

  * proxy/gnome: fix a bug that made it impossible to use SOCKS
    without also having a separate http proxy.

2.32.1
======
  * gnutls: added /etc/ssl/ca-bundle.pem to the list of files to check
    for to use as the default CA list. (This is what openSUSE uses.)
    (#673944, Federico Mena Quintero)

  * Updated translations:
        Catalan (Valencian), Marathi, Odia, Persian

2.32.0
======
  * New/updated translations:
        Hindi, Japanese, Khmer, Latvian, Malayalam

2.31.22
=======
  * Updated translations:
        British English, Catalan, Finnish, Lithuanian, Portuguese,
        Telugu

2.31.20
=======
  * gnutls: Fixed a linking problem on some platforms when PKCS#11 is
    enabled. (#670956, Kalev Lember)

  * Updated translations:
        Assamese, Basque, Belarusian, Brazilian Portuguese, Danish,
        Estonian, French, German, Hungarian, Italian, Korean, Polish,
        Russian, Serbian

2.31.16
=======
  * gnutls: Fixed a TLS handshaking bug that in particular caused lots
    of crashes in epiphany. (#658771)

  * tls/tests: Fixed a bug in the pkcs11-pin test that could cause it
    to spuriously fail

  * Updated translations:
        Bulgarian, Chinese (traditional), Czech, Japanese,
        Norwegian bokmål, Turkish, Vietnamese

2.31.6
======
  * gnutls
        * Support gnutls built against nettle instead of gcrypt
          (#657306)

        * Implement TLS session caching for GTlsServerConnection
          (#636574)

  * tls/tests: Explicitly request the memory GSettings backend, to
    avoid warnings in partial jhbuild environments

  * proxy/gnome: Update to use GInetAddressMask

  * Updated translations:
        Chinese (simplified), Hebrew, Norwegian bokmål, Slovenian,
        Swedish, Ukranian

2.31.2
======
  * gnutls
        * Added gnutls-pkcs11 backend, which uses gnutls 2.12.8 and
          p11-kit (a new optional dependency) to provide access to
          PKCS#11 tokens. At the moment, this is only enabled if you
          set GIO_USE_TLS=gnutls-pkcs11 in the environment. (Stef,
          #656361)

        * GTlsCertificateGnutls can now read unencrypted PKCS#8 keys
          (which show "BEGIN PRIVATE KEY" in PEM form) in addition to
          the previously-supported PKCS#1 keys ("BEGIN RSA PRIVATE
          KEY").

  * Updated translations:
        Galician, German, Lithuanian, Norwegian bokmål, Spanish,
        Turkish

2.31.0
======
  * gnutls
        * Bumped required GNUTLS version to 2.11.0 and updated
          code for that (Stef, #656903)

        * Fixed a crash when passing a NULL GCancellable to
          g_tls_connection_close_async() (Dan, #659786) or a NULL
          GError to g_tls_file_database_new().

        * Fixed handling of self-signed CA certificates in
          GTlsDatabaseGnutls (Dan, #660508)

        * Added another G_TLS_ERROR_NOT_TLS (aka "dumb server, try
          falling back from TLS to SSLv3") case, when the handshake
          completes but then packets after that don't decrypt
          correctly. (Dan, #662104)

        * Made sure that GTlsConnection:peer-certificate and
          :peer-certificate-errors get set even when the peer
          certificate is rejected. (Dan)

  * proxy/gnome
        * Fixed ignore_hosts handling (Dan, #655581)

        * Fixed configure check so that "--without-gnome-proxy" works.
          (Alexandre Rostovtsev, #662203)

        * Fixed tests to only build the gnome proxy test if we're
          building the gnome proxy. (Kalev Lember, #662085)

  * New translations:
        Telugu

2.30.0
======
  * Updated translation:
        Thai

2.29.92
=======
  * New/updated translations:
        Belarusian, Tamil, Japanese

  * gnutls: Fixed a problem when linking against GNUTLS 3.0, where
    connections would sometimes return the error "The TLS connection
    was non-properly terminated". (Dan Winship, #659233)

  * gnutls: Plugged a few memory leaks (Dan Winship)

2.29.18
=======
  * gnutls: fixed two rehandshaking bugs; one in which a client
    would erroneously report an error after successfully rehandshaking
    (Igor Makarov, #653645), and one where initiating an asynchronous
    rehandshake on the server side would send illegal packets and
    cause the client to disconnect (Dan Winship).

  * gnutls: made GTlsDatabaseGnutls and GTlsFileDatabaseGnutls
    properly cancellable (Stef Walter)

  * gnutls: fixed the client-side session cache to not share session
    IDs between different virtual hosts on the same IP address, which
    caused problems with some servers. (Dan Winship, #581342)

  * tls: Fixed up the tls test program so it can be run from "make
    check" (Stef Walter)

  * New translations:
        Persian

2.29.15
=======
  * gnutls: implement GTlsDatabase (Stef Walter, #636572)

  * gnutls: override minimum key length, to allow connecting to HTTP
    servers with very small keys (eg, on some embedded devices). (Dan
    Winship, #652284).

  * gnutls: use %COMPAT mode, which makes GNUTLS behave more like
    OpenSSL/NSS/Windows in a few ways, making it work with certain
    broken HTTP servers. (Dan Winship, part of #581342)

  * gnutls: fixed a crash when passed a NULL GError (Dan Winship)

2.29.9
======
  * Optimized GDBus usage in PACRunner (davidz)

  * Fixed a race condition in GProxyResolverGnome (davidz)

  * Changed configure to --enable-maintainer-mode by default,
    to match glib

  * New translations:
        Belarusian, Catalan (Valencian), Esperanto, Finnish,
        Lithuanian

2.28.6
======
  * Fixed some leaks in the gnutls backend

  * New translations:
        Turkish

2.28.5
======
  * New/updated translations:
        Basque, Brazilian Portuguese, Chinese (Traditional), Danish,
        Hindi, Kannada, Marathi, Uyghur

2.28.4
======
  * Added a new proxy backend, GProxyResolverGnome, that uses
    GSettings and the network proxy schemas from
    gsettings-desktop-schemas to provide proxy information (and using
    a new D-Bus service provided by the libproxy backend to provide
    PAC/WPAD support).

    If you are building glib-networking in a GNOME 3.0 environment,
    you should make sure that gsettings-desktop-schemas.pc is
    available when building, so that this backend gets built.

  * New translations:
        Assamese, Latvian, Oriya, Serbian

2.28.0
======
  * Fixed broken libtool check in autogen.sh that failed for libtool
    2.4 (Dan Williams)

  * New/updated translations:
        Bengali (India), Catalan, Chinese (Simplified), Chinese
        (Traditional), Czech, Dutch, Estonian, Galician, German,
        Greek, Gujarati, Hebrew, Indonesian, Italian, Korean,
        Norwegian (Bokmål), Polish, Punjabi, Slovenian, Spanish,
        Swedish, Uyghur, Ukranian

2.27.90
=======
  * Fixed configure script to actually error out if installed glib
    version is too old (Emilio Pozuelo Monfort)

  * gnutls: updated GTlsClientConnectionGnutls for :accepted-cas type
    change (Stef Walter)
  * gnutls: fixed an uninitialized variable (Dan Winship)

2.27.5
======
  * gnutls: finish implementing GTlsRehandshakeMode, which was present
    but non-functional in 2.27.4
  * gnutls: updates for glib TLS API changes
  * gnutls: fix some async bugs that caused the main loop to spin
  * gnutls: implement a client-side session cache, to speed up
    handshakes

  * Compile with gcc warnings by default

2.27.4
======
  * GNUTLS-based implementation of GTlsBackend

2.26.0
======

  * No changes, just a version bump

2.25.0
======

  * Initial release, with libproxy-based GProxyResolver