Source code

Revision control

Copy as Markdown

Other Tools

.. _mozilla_projects_nss_nss_3_46_release_notes:
NSS 3.46 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
The NSS team has released Network Security Services (NSS) 3.46 on **30 August 2019**, which is a
minor release.
The NSS team would like to recognize first-time contributors:
- Giulio Benetti
- Louis Dassy
- Mike Kaganski
- xhimanshuz
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_46_RTM. NSS 3.46 requires NSPR 4.22 or newer.
NSS 3.46 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
.. _new_in_nss_3.46:
`New in NSS 3.46 <#new_in_nss_3.46>`__
--------------------------------------
.. container::
This release contains no significant new functionality, but concentrates on providing improved
performance, stability, and security. Of particular note are significant improvements to AES-GCM
performance on ARM.
.. _notable_changes_in_nss_3.46:
`Notable Changes in NSS 3.46 <#notable_changes_in_nss_3.46>`__
--------------------------------------------------------------
.. container::
.. _certificate_authority_changes:
`Certificate Authority Changes <#certificate_authority_changes>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- The following CA certificates were **Removed**:
Class 2 Primary root certificate
- SHA-256 Fingerprint: 0F993C8AEF97BAAF5687140ED59AD1821BB4AFACF0AA9A58B5D57A338A3AFBCB
UTN-USERFirst-Client root certificate
- SHA-256 Fingerprint: 43F257412D440D627476974F877DA8F1FC2444565A367AE60EDDC27A412531AE
Deutsche Telekom Root CA 2 root certificate
- SHA-256 Fingerprint: B6191A50D0C3977F7DA99BCDAAC86A227DAEB9679EC70BA3B0C9D92271C170D3
Root CA 2 root certificate
- SHA-256 Fingerprint: F09B122C7114F4A09BD4EA4F4A99D558B46E4C25CD81140D29C05613914C3841
.. _upcoming_changes_to_default_tls_configuration:
`Upcoming changes to default TLS configuration <#upcoming_changes_to_default_tls_configuration>`__
--------------------------------------------------------------------------------------------------
.. container::
The next NSS team plans to make two changes to the default TLS configuration in NSS 3.47, which
will be released in October:
- `TLS 1.3 <https://datatracker.ietf.org/doc/html/rfc8446>`__ will be the default maximum TLS
details.
- `TLS extended master secret <https://datatracker.ietf.org/doc/html/rfc7627>`__ will be enabled
by default, where possible. See `Bug
.. _bugs_fixed_in_nss_3.46:
`Bugs fixed in NSS 3.46 <#bugs_fixed_in_nss_3.46>`__
----------------------------------------------------
.. container::
free session in NSC_WrapKey
after errors in tstcln, selfserv and vfyserv cmds
to a 2019 version
extensions in ssl_ConstructExtensions
./build.sh --enable-libpkix fails
cryptographic primitives
mp_set_int should return errors on bad values
DER_DecodeTimeChoice_Util from SSLExp_DelegateCredential
does not set error exit code for tests that "Failed with core"
vectors for AES-KW
undefined reference to \`PR_Assert' when building NSS 3.45 on armhf-linux
new random during renegotiation
non-existent "resp" directories
-Wmaybe-uninitialized warning in pqg.c
password max size to 500 characters
to repository in NSS coverity
fails in FIPS mode if password is an empty string
possible for delegated credentials
assembler for clang
-Wmaybe-uninitialized warning in p7env.c
-Wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c
description after unencrypted Finished msg
when AT_HWCAP2 returns 0
-DDEBUG_$USER from make builds
cl.exe -? hangs on Windows x64 when building nss since changeset
9162c654d06915f0f15948fbf67d4103a229226f
with build.sh
without email address in nss taskgraph
on Mac taskcluster Tools, SSL tests
-Wmaybe-uninitialized warning in tstclnt.c
-Wmaybe-uninitialized warning in lgattr.c
-Wmaybe-uninitialized warning in httpserv.c
-Wmaybe-uninitialized warning in tls13esni.c
comparison of integers of different signs: 'int' and 'unsigned long'
commands during setup
times out while fetching gpg key
docker image to pull specific commit
perfomance using PMULL2
validation checks
certificate authentication
mobility across Windows and Linux
with different breaking line formats
to enforce the use of either IPv4 or IPv6
on taskcluster
This Bugzilla query returns all the bugs fixed in NSS 3.46:
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.46 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.46 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in NSS Public Functions will remain compatible with future versions of
the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report with
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).