Source code
Revision control
Copy as Markdown
Other Tools
.. _mozilla_projects_nss_nss_3_45_release_notes:
NSS 3.45 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
The NSS team has released Network Security Services (NSS) 3.45 on **5 July 2019**, which is a
minor release.
The NSS team would like to recognize first-time contributors:
- Bastien Abadie
- Christopher Patton
- Jeremie Courreges-Anglas
- Marcus Burghardt
- Michael Shigorin
- Tomas Mraz
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_45_RTM. NSS 3.45 requires NSPR 4.21 or newer.
NSS 3.45 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
.. _new_in_nss_3.45:
`New in NSS 3.45 <#new_in_nss_3.45>`__
--------------------------------------
.. _new_functionality:
`New Functionality <#new_functionality>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
.. rubric:: New Functions
:name: new_functions
- in *pk11pub.h*:
- **PK11_FindRawCertsWithSubject** - Finds all certificates on the given slot with the given
subject distinguished name and returns them as DER bytes. If no such certificates can be
found, returns SECSuccess and sets ``*results`` to NULL. If a failure is encountered while
fetching any of the matching certificates, SECFailure is returned and ``*results`` will be
NULL.
.. _notable_changes_in_nss_3.45:
`Notable Changes in NSS 3.45 <#notable_changes_in_nss_3.45>`__
--------------------------------------------------------------
.. container::
Credentials
- This adds a new experimental function: **SSL_DelegateCredential**
- **Note**: In 3.45, ``selfserv`` does not yet support delegated credentials. See `Bug
- **Note**: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46
will set ``SSLChannelInfo.authKeyBits`` to that of the delegated credential for better
policy enforcement. See `Bug
Curve25519 implementation with one from
linking on Windows
**PK11_FindRawCertsWithSubject** for finding certificates with a given subject on a given slot
to softoken
Elbrus lcc compiler (<=1.23)
clock for SSL
- This adds new experimental functions: **SSL_SetTimeFunc**, **SSL_CreateAntiReplayContext**,
**SSL_SetAntiReplayContext**, and **SSL_ReleaseAntiReplayContext**.
- The experimental function **SSL_InitAntiReplay** is removed.
response to the ongoing FIPS review
- Note: The source package size has increased substantially due to the new FIPS test vectors.
This will likely prompt follow-on work, but please accept our apologies in the meantime.
.. _certificate_authority_changes:
`Certificate Authority Changes <#certificate_authority_changes>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- The following CA certificates were **Removed**:
Root CA
- SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
.. _bugs_fixed_in_nss_3.45:
`Bugs fixed in NSS 3.45 <#bugs_fixed_in_nss_3.45>`__
----------------------------------------------------
.. container::
strip leading 0's from key material during PKCS11 import
-
.. container::
RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis)
divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis)
between mp_set_long and mp_set_ulong
ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might
have copied the unit test code verbatim
built on Android
should no longer modify output length on failure
modules if C_GetSlotInfo() returns error
< 4.3 on big-endian architectures
-
.. container::
OpenBSD builds to fix link time errors using NSS
only after handshake is marked as finished
Solaris SPARC so that libfreebl_64fpu_3.so builds
unneeded loop in mpi.c
CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
HelloRetryRequestCallback return code for rejecting 0-RTT
uses of PK11_SetWrapKey
for anti-replay of TLS 1.3 early data
removing -arch XXX args from CC didn't work
new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
This Bugzilla query returns all the bugs fixed in NSS 3.45:
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.45 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.45 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in NSS Public Functions will remain compatible with future versions of
the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report with