Source code
Revision control
Copy as Markdown
Other Tools
.. _mozilla_projects_nss_nss_3_12_6_release_notes:
NSS 3.12.6 release notes
========================
.. _nss_3.12.6_release_notes:
`NSS 3.12.6 release notes <#nss_3.12.6_release_notes>`__
--------------------------------------------------------
.. container::
.. container::
2010-03-03
.. container::
:name: section_1
.. rubric:: Introduction
:name: Introduction
Network Security Services (NSS) 3.12.6 is a patch release for NSS 3.12. The bug fixes in
NSS 3.12.6 are described in the "`Bugs
NSS 3.12.6 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
.. container::
:name: section_2
.. rubric:: Distribution Information
:name: Distribution_Information
| The CVS tag for the NSS 3.12.6 release is ``NSS_3_12_6_RTM``. NSS 3.12.6 requires `NSPR
section for the build instructions.
NSS 3.12.6 source and binary distributions are also available on ``ftp.mozilla.org`` for
secure HTTPS download:
- Source tarballs:
| You also need to download the NSPR 4.8.4 binary distributions to get the NSPR 4.8.4
header files and shared libraries, which NSS 3.12.6 requires. NSPR 4.8.4 binary
|
.. container::
:name: section_3
.. rubric:: New in NSS 3.12.6
:name: New_in_NSS_3.12.6
.. container::
:name: section_4
.. rubric:: SSL3 & TLS Renegotiation Indication Extension (RFC 5746)
:name: SSL3_TLS_Renegotiation_Indication_Extension_(RFC_5746)
- By default, NSS 3.12.6 uses the new TLS Renegotiation Indication Extension for TLS
renegotiation but allows simple SSL/TLS connections (without renegotiation) with
peers that don't support the TLS Renegotiation Indication Extension.
The behavior of NSS for renegotiation can be changed through API function calls, or
with the following environment variables:
- NSS_SSL_ENABLE_RENEGOTIATION
- values:
- [0|n|N]: SSL_RENEGOTIATE_NEVER
- Never allow renegotiation - That was the default for 3.12.5 release.
- [1|u|U]: SSL_RENEGOTIATE_UNRESTRICTED
- Server and client are allowed to renegotiate without any restrictions.
This setting was the default prior 3.12.5 and makes products vulnerable.
- [2|r|R]: SSL_RENEGOTIATE_REQUIRES_XTN (default)
- Only allows renegotiation if the peer's hello bears the TLS
renegotiation_info extension. This is the safe renegotiation.
- [3|t|T]: SSL_RENEGOTIATE_TRANSITIONAL
- Disallows unsafe renegotiation in server sockets only, but allows clients
to continue to renegotiate with vulnerable servers. This value should
only be used during the transition period when few servers have been
upgraded.
- NSS_SSL_REQUIRE_SAFE_NEGOTIATION
- values:
- 1: requireSafeNegotiation = TRUE
- unset: requireSafeNegotiation = FALSE
Controls whether safe renegotiation indication is required for initial
handshake. If TRUE, a connection will be dropped at initial handshake if the
peer server or client does not support safe renegotiation. The default setting
for this option is FALSE.
These options can also be set with the following SSL options:
- sslOptions.enableRenegotiation
- sslOptions.requireSafeNegotiation
- New pseudo cipher suite value: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (cannot be
negotiated)
.. container::
:name: section_5
.. rubric:: TLS Server Name Indication for servers
:name: TLS_Server_Name_Indication_for_servers
- | TLS Server Name Indication (SNI) for servers is almost fully implemented in NSS
3.12.6.
details.
Note: The TLS Server Name Indication for clients is already fully implemented in NSS.
- New functions for SNI *(see ssl.h for more information)*:
- SSLSNISocketConfig
- Return values:
- SSL_SNI_CURRENT_CONFIG_IS_USED: libSSL must use the default cert and key.
- SSL_SNI_SEND_ALERT: libSSL must send the "unrecognized_name" alert.
- SSL_SNISocketConfigHook
- SSL_ReconfigFD
- SSL_ConfigServerSessionIDCacheWithOpt
- SSL_SetTrustAnchors
- SSL_GetNegotiatedHostInfo
- New enum for SNI:
- SSLSniNameType *(see sslt.h)*
.. container::
:name: section_6
.. rubric:: New functions
:name: New_functions
- *in cert.h*
- CERTDistNames: Duplicate distinguished name array.
- CERT_DistNamesFromCertList: Generate an array of Distinguished names from a list
of certs.
*in ocsp.h*
- CERT_CacheOCSPResponseFromSideChannel:
- This function is intended for use when OCSP responses are provided via a
side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension).
*in ssl.h*
- SSL_GetImplementedCiphers
- SSL_GetNumImplementedCiphers
- SSL_HandshakeNegotiatedExtension
.. container::
:name: section_7
.. rubric:: New error codes
:name: New_error_codes
- *in sslerr.h*
- SSL_ERROR_UNSAFE_NEGOTIATION
- SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD
.. container::
:name: section_8
.. rubric:: New types
:name: New_types
- *in sslt.h*
- SSLExtensionType
.. container::
:name: section_9
.. rubric:: New environment variables
:name: New_environment_variables
- SQLITE_FORCE_PROXY_LOCKING
- 1 means force always use proxy, 0 means never use proxy, NULL means use proxy for
non-local files only.
- SSLKEYLOGFILE
- Key log file. If set, NSS logs RSA pre-master secrets to this file. This allows
packet sniffers to decrypt TLS connections.
Note: The code must be built with TRACE defined to use this functionality.
.. container::
:name: section_10
.. rubric:: Bugs Fixed
:name: Bugs_Fixed
The following bugs have been fixed in NSS 3.12.6.
compression RFC 3749
of sqlite3 to 3.6.22 to get numerous bug fixes
functions for SSL_ImplementedCiphers
CERT_PKIXVerifyCert considers a certificate revoked if cert_ProcessOCSPResponse fails
for any reason
warnings in NSS 3.12.4
for SGN_Update should be declared const
specification of an alternate library for SQLite
find_objects_by_template - nssToken_FindCertificateByIssuerAndSerialNumber]
(initialized to PKIX_DEFAULT_MAX_RESPONSE_LENGTH) is too small for downloading some
CRLs.
to NSS (single patch)
null-argument exception on empty strings
argument to SSL_SetSockPeerID should be declared const
spaces in path names
makefiles in lib/ckfw/builtins
need to include headers from lib/ckfw
makefile code in if and else to the outside
and DER_GeneralizedTimeToTime ignore all bytes after an embedded null
logging pre-master secrets
SSL3 & TLS renegotiation
does not work with NSS_RegisterShutdown
for Android
SSL_HandshakeNegotiatedExtension
NSPR version check in lib/util/secport.c
need to include ssl.h and sslproto.h.
for recording OCSP stapled replies
Mac OS X
when enumerating the nss database
nss-sys-init patches from Fedora
function SEC_Init
built inside source tree
.. container::
:name: section_11
.. rubric:: Documentation
:name: Documentation
For a list of the primary NSS documentation pages on mozilla.org, see `NSS
and revised documents available since the release of NSS 3.11 include the following:
- `Build
Instructions <http://mdn.beonex.com/en/NSS_reference/Building_and_installing_NSS/Build_instructions.html>`__
.. container::
:name: section_12
.. rubric:: Compatibility
:name: Compatibility
NSS 3.12.6 shared libraries are backward compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.6
shared libraries without recompiling or relinking. Furthermore, applications that restrict
their use of NSS APIs to the functions listed in `NSS Public
remain compatible with future versions of the NSS shared libraries.
.. container::
:name: section_13
.. rubric:: Feedback
:name: Feedback
Bugs discovered should be reported by filing a bug report with `mozilla.org