Source code

Revision control

Copy as Markdown

Other Tools

.. _mozilla_projects_nss_nss_3_12_4_release_notes:
NSS 3.12.4 release notes
========================
.. container::
.. code::
2009-08-20
*Newsgroup:*\ `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
.. rubric:: Introduction
:name: Introduction
Network Security Services (NSS) 3.12.4 is a patch release for NSS 3.12. The bug fixes in NSS
3.12.4 are described in the "`Bugs Fixed <#bugsfixed>`__" section below.
NSS 3.12.4 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
.. rubric:: Distribution Information
:name: Distribution_Information
This release is built from the source, at the CVS repository rooted at cvs.mozilla.org:/cvsroot,
with the CVS tag ``NSS_3_12_4_RTM``.
NSS 3.12.4 requires `NSPR 4.8 <https://www.mozilla.org/projects/nspr/release-notes/>`__. This is
not a hard requirement. Our QA tested NSS 3.12.4 with NSPR 4.8, but it should work with NSPR
4.7.1 or later.
You can check out the source from CVS by
.. note::
cvs co -r NSPR_4_8_RTM NSPR
cvs co -r NSS_3_12_4_RTM NSS
See the `Documentation <#docs>`__ section for the build instructions.
NSS 3.12.4 source is also available on ``ftp.mozilla.org`` for secure HTTPS download:
- Source tarball:
.. rubric:: Major changes in NSS 3.12.4
:name: Major_changes_in_NSS_3.12.4
- NSS 3.12.4 is the version that we submitted to NIST for FIPS 140-2 validation.
Currently NSS 3.12.4 is in the "Review Pending" state in the FIPS 140-2 pre-validation
- Added CRL Distribution Point support (see cert.h).
**CERT_DecodeCRLIssuingDistributionPoint**
**CERT_FindCRLIssuingDistPointExten**
- The old documentation of the expression matching syntax rules was
incorrect, and the new corrected documentation is as follows for
public nssutil functions (see portreq.h):
- **PORT_RegExpValid**
- **PORT_RegExpSearch**
- **PORT_RegExpCaseSearch**
- These functions will match a string with a shell expression. The expressions
accepted are based loosely on the expressions accepted by zsh.
Expected return values:
- NON_SXP if exp is a standard string
- INVALID_SXP if exp is a shell expression, but invalid
- VALID_SXP if exp is a valid shell expression
Expression matching rules:
- \* matches anything
- ? matches one character
- \\ will escape a special character
- $ matches the end of the string
- Bracketed expressions:
[abc] matches one occurrence of a, b, or c.
[^abc] matches any character except a, b, or c.
To be matched between [ and ], these characters must be escaped: \\ ]
No other characters need be escaped between brackets.
Unnecessary escaping is permitted.
- [a-z] matches any character between a and z, inclusive.
The two range-definition characters must be alphanumeric ASCII.
If one is upper case and the other is lower case, then the ASCII
non-alphanumeric characters between Z and a will also be in range.
- [^a-z] matches any character except those between a and z, inclusive.
These forms cannot be combined, e.g [a-gp-z] does not work.
- Exclusions:
As a top level, outter-most expression only, the expression
foo~bar will match the expression foo, provided it does not also
match the expression bar. Either expression or both may be a union.
Except between brackets, any unescaped ~ is an exclusion.
At most one exclusion is permitted.
Exclusions cannot be nested (contain other exclusions).
example: \*~abc will match any string except abc
- Unions:
(foo|bar) will match either the expression foo, or the expression bar.
At least one '|' separator is required. More are permitted.
Expressions inside unions may not include unions or exclusions.
Inside a union, to be matched and not treated as a special character,
these characters must be escaped: \\ ( \| ) [ ~ except when they occur
inside a bracketed expression, where only \\ and ] require escaping.
- New functions in the nss shared library:
- PK11_IsInternalKeySlot (see pk11pub.h)
- SECMOD_OpenNewSlot (see pk11pub.h)
- New error codes (see secerr.h):
- SEC_ERROR_BAD_INFO_ACCESS_METHOD
- SEC_ERROR_CRL_IMPORT_FAILED
- New OIDs (see secoidt.h)
- SEC_OID_X509_ANY_POLICY
- The nssckbi PKCS #11 module's version changed to 1.75.
- Obsolete code for Win16 has been removed.
- Support for OpenVMS has been removed.
.. rubric:: Bugs Fixed
:name: Bugs_Fixed
The following bugs have been fixed in NSS 3.12.4.
crlDistributionPoint extension in libPKIX
encoding/decoding of PKIX_PL_OID to and from ascii string
nss/lib/ckfw/capi/ with MingW GCC
NSS error code
architecture support
for x86_64 platform
deleted from NSS
does not validate its inputs
(SQLite3) DB, set or change master password fails
for an int\* argument in pkix_validate.c
for softoken
pkix_HttpCertStore_FindSocketConnection reuses closed socket
reported by tinderbox
fetching makes libpkix abort validation.
Report [[@ nssutil3.dll@0x34c0 ]
independently of the rest of nss
certutil.exe for fennec/wince
signtool on Windows
causes sec_error_unknown_issuer errors
in lib/freebl
revoked cert
support CAVS 7.1 DRBG testing
corruption when importing a large certificate (>64K)
pk12util.c
freebl x86_64 builds on Linux
of major components independently and in a chain manner by downstream distributions
SSL_SetSockPeerID a second time leaks the previous value
NSS coding style
on windows
compile on WinCE
file IO Functions on WinCE
Functions on WinCE
!Invalid AVA! whenever value exceeds 384 bytes
argument to DER_DecodeTimeChoice and crashes
options MOZILLA_SECURITY_BUILD and MOZILLA_BSAFE_BUILD
library upon error
SEC_ERROR_CRL_NOT_FOUND when it fails to import a CRL
interface need to do post tests only in fips mode.
certifiable.
when printing cert with empty subject name
lib/freebl/win_rand.c warnings
and dbopen (again)
issues with NSS's new revocation flags
MSVC++
requires module to implement GenerateKey when they support KeyPairGeneration
(a.k.a., OpenVMS) from NSS
reports wrong error code when EE cert is expired
valid functions prototypes
cert from a P12 file leaves error code set to zero
entry on shutdown
can't open the input file
--disable-dbm option when not cross-compiling
bignum are not implemented on OS/2
invoked in sdb_FindObjectsInit when error occurs
powerupself tests to be compliant for 2011
value of cert_pi_trustAnchors causes a crash in cert_pkixSetParam
softoken tries but fails to load libsqlite3.so crash [@ @0x0 ]
signed int
NSS_InitReadWrite(sql:<dbdir>) causes NSS to look for sql:<dbdir>/libnssckbi.so
'nickname' parameter of SEC_CertNicknameConflict
NSS_InitReadWrite(sql:<configdir>) leaves behind a pkcs11.txu file if libnssckbi.so is in
<configdir>.
nss/cmd/certutil/keystuff.c on WinCE
support for testing tool fipstest
freebl changes.
ever generated by the RNG should be discarded
contains cyrillic chars. [[@isspace - secmod_argIsBlank - secmod_argHasBlanks -
secmod_formatPair - secmod_mkNewModuleSpec]
optimized builds for Mozilla on MacOSX
optimized NSS builds for Mozilla on Linux
needs to be tested on POST
from Solaris packages
pk11mode
sdrtest
mismatch in sdrtest
pkix_pl_AIAMgr_GetHTTPCerts could crash if SEC_GetRegisteredHttpClient fails
will fail on alloc success because of a missing !
will always fail if dp->distPointType != generalName
overflow in NSS shell expression (filename globbing) parsing
identify the one and only default internal private key slot.
a la SECMOD_OpenUserDB() that can be used on non-softoken modules.
return without unlocking nssShutdownList.lock
for VC6
need to contain the NSS version number
- lg_mkSecretKeyRep] when PORT_NewArena fails
doesn't build on AIX 5.1
problems
Linux2.4
should use date argument to obtain the time for cert validity verification
in the nickname string for AC RaĆ­z Certicamara S.A.
.. rubric:: Documentation
:name: Documentation
For a list of the primary NSS documentation pages on developer.mozilla.org, see NSS. New and
revised documents available since the release of NSS 3.12 include the following:
- :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`
.. rubric:: Compatibility
:name: Compatibility
NSS 3.12.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.12.4 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in `NSS Public Functions </ref/nssfunctions.html>`__ will remain
compatible with future versions of the NSS shared libraries.
.. rubric:: Feedback
:name: Feedback
Bugs discovered should be reported by filing a bug report with `mozilla.org
Bugzilla <https://bugzilla.mozilla.org/>`__ (product NSS).