firefox-main/security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst

Source code

Revision control

Copy as Markdown

Other Tools

.. _mozilla_projects_nss_nss_3_12_3_release_notes:
NSS_3.12.3_release_notes.html
=============================
.. _nss_3.12.3_release_notes:
`NSS 3.12.3 Release Notes <#nss_3.12.3_release_notes>`__
--------------------------------------------------------
.. _2009-04-01:
`2009-04-01 <#2009-04-01>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
`Contents <#contents>`__
~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- `Introduction <#introduction>`__
- `Distribution Information <#distribution_information>`__
- `New in NSS 3.12.3 <#new_in_nss_3.12.3>`__
- `Bugs Fixed <#bugs_fixed>`__
- `Documentation <#documentation>`__
- `Compatibility <#compatibility>`__
- `Feedback <#feedback>`__
--------------
`Introduction <#introduction>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Network Security Services (NSS) 3.12.3 is a patch release for NSS 3.12. The bug fixes in NSS
3.12.3 are described in the "`Bugs Fixed <#bugs_fixed>`__" section below.
NSS 3.12.3 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
--------------
`Distribution Information <#distribution_information>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
| The CVS tag for the NSS 3.12.3 release is NSS_3_12_3_RTM. NSS 3.12.3 requires `NSPR
| See the `Documentation <#documentation>`__ section for the build instructions.
NSS 3.12.3 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS
download:
- Source tarballs:
- Binary distributions:
optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT
(optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12.3
directory containing three subdirectories:
- include - NSS header files
- lib - NSS shared libraries
programs
You also need to download the NSPR 4.7.4 binary distributions to get the NSPR 4.7.4 header files
and shared libraries, which NSS 3.12.3 requires. NSPR 4.7.4 binary distributions are in
--------------
.. _new_in_nss_3.12.3:
`New in NSS 3.12.3 <#new_in_nss_3.12.3>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- Changes in behavior:
- In the development of NSS 3.12.3, it became necessary to change some old library behaviors due
to the discovery of certain vulnerabilities in the old behaviors, and to correct some errors
that had limited NSS's ability to interoperate with cryptographic hardware and software from
other sources.
Most of these changes should cause NO problems for NSS users, but in some cases, some
customers' software, hardware and/or certificates may be dependent on the old behaviors, and
may have difficulty with the new behaviors. In anticipation of that, the NSS team has provided
ways to easily cause NSS to revert to its previous behavior through the use of environment
variables.
Here is a table of the new environment variables introduced in NSS 3.12.3 and information
about how they affect these new behaviors. The information in this table is excerpted from
:ref:`mozilla_projects_nss_reference_nss_environment_variables`
+--------------------------------+--------------------------------+--------------------------------+
| **Environment Variable** | **Value Type** | **Description** |
+--------------------------------+--------------------------------+--------------------------------+
| NSRANDCOUNT | Integer | Sets the maximum number of |
| | (byte count) | bytes to read from the file |
| | | named in the environment |
| | | variable NSRANDFILE (see |
| | | below). Makes NSRANDFILE |
| | | usable with /dev/urandom. |
+--------------------------------+--------------------------------+--------------------------------+
| NSS_ALLOW_WEAK_SIGNATURE_ALG | Boolean | Enables the use of MD2 and MD4 |
| | (any non-empty value to | hash algorithms inside |
| | enable) | signatures. This was allowed |
| | | by default before NSS 3.12.3. |
+--------------------------------+--------------------------------+--------------------------------+
| NSS_HASH_ALG_SUPPORT | String | Specifies algorithms allowed |
| | | to be used in certain |
| | | applications, such as in |
| | | signatures on certificates and |
| | | CRLs. See documentation at |
| | | `this |
| | | link |
| | | show_bug.cgi?id=483113#c0>`__. |
+--------------------------------+--------------------------------+--------------------------------+
| NSS_STRICT_NOFORK | String | It is an error to try to use a |
| | ("1", | PKCS#11 crypto module in a |
| | "DISABLED", | process before it has been |
| | or any other non-empty value) | initialized in that process, |
| | | even if the module was |
| | | initialized in the parent |
| | | process. Beginning in NSS |
| | | 3.12.3, Softoken will detect |
| | | this error. This environment |
| | | variable controls Softoken's |
| | | response to that error. |
| | | |
| | | - If set to "1" or unset, |
| | | Softoken will trigger an |
| | | assertion failure in debug |
| | | builds, and will report an |
| | | error in non-DEBUG builds. |
| | | - If set to "DISABLED", |
| | | Softoken will ignore forks, |
| | | and behave as it did in |
| | | older versions. |
| | | - If set to any other |
| | | non-empty value, Softoken |
| | | will report an error in |
| | | both DEBUG and non-DEBUG |
| | | builds. |
+--------------------------------+--------------------------------+--------------------------------+
| NSS_USE_DECODED_CKA_EC_POINT | Boolean | Tells NSS to send EC key |
| | (any non-empty value to | points across the PKCS#11 |
| | enable) | interface in the non-standard |
| | | unencoded format that was used |
| | | by default before NSS 3.12.3. |
| | | The new key point format is a |
| | | DER encoded ASN.1 OCTET |
| | | STRING. |
+--------------------------------+--------------------------------+--------------------------------+
| NSS_USE_SHEXP_IN_CERT_NAME | Boolean | Tells NSS to allow shell-style |
| | (any non-empty value to | wildcard patterns in |
| | enable) | certificates to match SSL |
| | | server host names. This |
| | | behavior was the default |
| | | before NSS 3.12.3. The new |
| | | behavior conforms to RFC 2818. |
+--------------------------------+--------------------------------+--------------------------------+
- New Korean SEED cipher:
- New macros for SEED support:
- *in blapit.h:*
NSS_SEED
NSS_SEED_CBC
SEED_BLOCK_SIZE
SEED_KEY_LENGTH
*in pkcs11t.h:*
CKK_SEED
CKM_SEED_KEY_GEN
CKM_SEED_ECB
CKM_SEED_CBC
CKM_SEED_MAC
CKM_SEED_MAC_GENERAL
CKM_SEED_CBC_PAD
CKM_SEED_ECB_ENCRYPT_DATA
CKM_SEED_CBC_ENCRYPT_DATA
*in secmod.h:*
PUBLIC_MECH_SEED_FLAG
*in secmodt.h:*
SECMOD_SEED_FLAG
*in secoidt.h:*
SEC_OID_SEED_CBC
*in sslproto.h:*
TLS_RSA_WITH_SEED_CBC_SHA
*in sslt.h:*
ssl_calg_seed
- New structure for SEED support:
- (see blapit.h)
SEEDContextStr
SEEDContext
- New functions in the nss shared library:
- CERT_RFC1485_EscapeAndQuote (see cert.h)
CERT_CompareCerts (see cert.h)
CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h)
PK11_GetSymKeyHandle (see pk11pqg.h)
UTIL_SetForkState (see secoid.h)
NSS_GetAlgorithmPolicy (see secoid.h)
NSS_SetAlgorithmPolicy (see secoid.h)
- For the 2 functions above see also (in secoidt.h):
NSS_USE_ALG_IN_CERT_SIGNATURE
NSS_USE_ALG_IN_CMS_SIGNATURE
NSS_USE_ALG_RESERVED
- Support for the Watcom C compiler is removed
- The file watcomfx.h is removed.
--------------
.. _bugs_fixed:
`Bugs Fixed <#bugs_fixed>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
The following bugs have been fixed in NSS 3.12.3.
2818 vs. backwards compatibility (wildcards)
redefines the macro BSIZE on HP-UX
probabilistic primality test) may choose 0 or 1 as the random integer
the softoken only
stops after first update
mode failed.
revocation status of a cert
API to return an error if cert was rejected.
distinct types
of dependencies on NSPR and libUtil
conflicts in merged DB
bignum are not implemented on Windows 32-bit
encoding of DSA signatures in SSL 3.0 handshakes
issuer for nearly all certificate errors
reports ec private key as an orphan
Suites to TLS RFC4010
error reporting (was: PK11_CreateContextBySymKey returns NULL
symkeyutil
CERT_CompareCerts
Softoken is dlClose'd on some Unix platforms in NSS 3.12
freebl/softoken
set files protections to 0600
64-bit libraries on HP-UX
without dbm (handy for WinCE)
certificate request to sign.
devutil.c::create_object()
devutil.c::nssSlotArray_Clone()
#12 files
SSL_ConfigMPServerSIDCache with default parameters fails on {Net
should take a const char \* input trusts string.
NSS_USE_64 in lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
fails on windows ce
cache on local file system
email cert into newly upgraded DB
not being honored in CERT_VerifyCert
variable used in sec_pkcs5CreateAlgorithmID
Microsoft compilers
Windows because it calls undeclared isatty
signatures in certificates and CRLs based on weak hashes
sizes for (AES) symmetric keys
override rogue md5-collision CA cert
leak tests due to null pointer dereferencing in pkix_build.c:3218.
even if revoked certificate.
keys of ANY LENGTH to be created
AIX when using shareable DBs.
parses handshake messages that span record boundaries
pkix_validate.c.
and C_Finalize should succeed after a fork in a child process
trusted when requireFreshInfo flag is set.
certs with empty subjects and non-empty nicknames
modifying CRL.
when AVAs in an RDN are separated by '+'
CERT_GetCertChainFromCert
client/server tests.
coreconf/XXX.mk files for Windows
version) to coreconf.
Windows since 20090213.1 nightly build.
pkix_List_MergeLists function
check to be disabled
cert found invalid if issuer is trusted only for SSL
for email addresses in subject by CERT_AsciiToName
correct type of ckc_x509 in lib/ckfw
> 1K Byte
attribute is encoded in the wrong way: missing encapsulating octet string
watcomfx.h from nss
errors in NSS
CA cert validated as good.
to disable/enable hash algorithms in cert/CRL signatures
looking up a default OCSP Responder URL
OCSP tests.
to retrieve SymKey handle
with NSS_ENABLE_PKIX_VERIFY=1
attempting rc5_cbc or rc5_ecb
used to build intel-aes.s with Solaris gas for x86_64
recently have missing texts in license headers.
lib/freebl/mapfile.Solaris
output in source directory instead of OBJDIR
uses argument uninitialized by caller pbe_PK11AlgidToParam
--------------
`Documentation <#documentation>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
For a list of the primary NSS documentation pages on mozilla.org, see `NSS
Documentation <../index.html#Documentation>`__. New and revised documents available since the
release of NSS 3.11 include the following:
- `Build Instructions for NSS 3.11.4 and above <../nss-3.11.4/nss-3.11.4-build.html>`__
--------------
`Compatibility <#compatibility>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
NSS 3.12.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.12.3 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain
compatible with future versions of the NSS shared libraries.
--------------
`Feedback <#feedback>`__
~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
| Bugs discovered should be reported by filing a bug report with `mozilla.org
Bugzilla <https://bugzilla.mozilla.org/>`__ (product NSS).