1. gnutls bundles: gmp-6.2.1 (newly bundled) leancrypto-1.5.0 2. liboqs is not used 3. cert compression: is using dlopen [compilation options inspection] is disabled by default is tested against tlsfuzzer [Sanity/compressed-certificate-coverage] is interop-tested against nss and openssl (at least zlib) [Interoperability/cert-compression-with-NSS, Interoperability/cert-compression-with-OpenSSL] 4. RSA-OAEP: [Interoperability/OAEP, Interoperability/OAEP-with-various-pkcs8-keys] both keys marked in PKCS#8 and X.509 as rsaEncryption and rsa-OAEP can be used for OAEP encryption and decryption ciphertext encrypted with openssl can be decrypted with gnutls and vice versa, this should be the case for all currently combinations of supported hashes defaults are not using SHA-1 even for small key sizes FIPS indicator is set to unapproved when in FIPS mode and salt is larger than the hash both in and out of FIPS mode, exporting defaults to parameter values that are approved in FIPS mode 5. extend FIPS/PKCS8-algs Test an even weaker one (single DES) (#1598) to RHEL-9 6. RSAES-PKCS1-v1_5 is allowed both with and without config [Sanity/allow-rsa-pkcs1-encrypt] 7. PBMAC1: gnutls does NOT default to exporting PKCS#12 files with PBMAC1 in FIPS mode, preserves the current default for both non-FIPS mode interop-test against openssl [openssl/Sanity/RHEL-36659-test-PKCS12-PBMAC1-option] interop-test against nss [nss/Sanity/RHEL-39732-pkcs12-and-pbmac1] 8. SHAKE: extend [Sanity/SHAKE] to run on RHEL-9 9. DSA signing and verification stays working 10. 1024-, 1280-, 1536- and 1792-bit RSA verification is still approved 11. gnutls-cli -l lists neither xyber nor kyber 12. ML-KEM: is tested against tlsfuzzer [Interoperability/Hybrid-ML-KEM-in-TLS] is interop-tested against nss and openssl [Interoperability/Hybrid-ML-KEM-with-OpenSSL, nss/Interoperability/ML-KEM-interoperability-with-GnuTLS] 13. ML-DSA: extend to run on RHEL-9: [Interoperability/ML-DSA-in-TLS-with-OpenSSL] [Interoperability/ML-DSA-key-and-cert-interoperability-with-OpenSSL] [Sanity/ML-DSA-keys-in-TLS] [nss/Interoperability/ML-DSA-in-TLS-with-GnuTLS] [nss/Interoperability/ML-DSA-key-and-cert-interoperability-with-GnuTLS] 14. PKCS#11 provider: declare tech preview, like in 10

Version: 3.8.10 List of highlights: * All records included in an OCSP response are now checked in TLS   Previously, when multiple records are provided in a single OCSP   response, only the first record was considered; now all those   records are examined until the server certificate matches. * ML-KEM hybrid key exchange algorithms can now be used in TLS. (These are best enabled with PQ subpolicy) * ML-DSA-44, ML-DSA-65, and ML-DSA-87 signature algorithms can now be used in TLS. (These are best enabled with PQ subpolicy) * All variants of ML-DSA private key formats defined in the `draft-ietf-lamps-dilithium-certificates-12` document are supported. * Certificate compression in TLS is supported (RFC 8879), but disabled by default. * Optimal Asymmetric Encryption Padding scheme (RSA-OAEP) is supported (RFC 8017). * SHAKE hashing algorithm and an API for incremental calculation of SHAKE hashes of arbitrary length across multiple calls has been added. * RSA encryption and decryption with PKCS #1 v1.5 padding is deprecated and disallowed by default. * Use of SHA-1 is no longer approved for signature verification. * `gnutls` can now export PKCS #12 files with Password-Based Message Authentication Code 1 (PBMAC1) as defined in RFC 9579. If you need interoperability with systems running in FIPS mode, use PBMAC1 explicitly. * The default cryptographic backend can now be overridden to a PKCS#11 module as a Technology Preview. This unsupported feature is controlled by specifying the `[provider]` section in the system-wide configuration to set the path and pin to the module.