info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[ANNOUNCE] NSS 3.21 Release
57 views
Skip to first unread message
Kai Engert
Nov 13, 2015, 12:51:50 PM11/13/15
to mozilla-dev-tech-crypto
The NSS team has released Network Security Services (NSS) 3.21,
which is a minor release.
New functionality:
* certutil now supports a --rename option to change a nickname (bug 1142209)
* TLS extended master secret extension (RFC 7627) is supported (bug 1117022)
* New info functions added for use during mid-handshake callbacks (bug 1084669)
New Functions:
* NSS_OptionSet - sets NSS global options
* NSS_OptionGet - gets the current value of NSS global options
* SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name
string, module parameters string, NSS specific parameters string, and NSS
configuration parameter string. The module represented by the module
structure is not loaded. The difference with SECMOD_CreateModule is the new
function handles NSS configuration parameter strings.
* SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior
to the handshake being completed, for use with the callbacks that are invoked
during the handshake
* SSL_SignaturePrefSet - configures the enabled signature and hash algorithms
for TLS
* SSL_SignaturePrefGet - retrieves the currently configured signature and hash
algorithms
* SSL_SignatureMaxCount - obtains the maximum number signature algorithms that
can be configured with SSL_SignaturePrefSet
* NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared
library string, module name string, module parameters string, NSS specific
parameters string, and NSS configuration parameter strings. The returned
strings must be freed by the caller. The difference with
NSS_ArgParseModuleSpec is the new function handles NSS configuration
parameter strings.
* NSSUTIL_MkModuleSpecEx - take a shared library string, module name string,
module parameters string, NSS specific parameters string, and NSS
configuration parameter string and returns a module string which the caller
must free when it is done. The difference with NSS_MkModuleSpec is the new
function handles NSS configuration parameter strings.
New Types:
* CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for
CKM_TLS12_MASTER_KEY_DERIVE
* CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for
CKM_TLS12_KEY_AND_MAC_DERIVE
* CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF
* CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC
* SSLHashType - identifies a hash function
* SSLSignatureAndHashAlg - identifies a signature and hash function
* SSLPreliminaryChannelInfo - provides information about the session state
prior to handshake completion
New Macros:
* NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum RSA key size
* NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum DH key size
* NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum DSA key size
* CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret
* CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV
* CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and
ECDH) cipher suites
* CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional
PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS.
* CKM_TLS_MAC - computes TLS Finished MAC
* NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key
exchange
* SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete
DTLS record in a UDP packet
* SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid
signature and hash algorithm is available
* SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an
unsupported signature and hash algorithm is configured
* SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended
master secret is missing after having been negotiated
* SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an
extended master secret when previously not negotiated
* SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended
master secret extension (RFC 7627)
* ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a
TLS version has been selected
* ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate
that a TLS cipher suite has been selected
* ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all
preliminary information has been set
Notable Changes:
* NSS now builds with elliptic curve ciphers enabled by default (bug 1205688)
* NSS now builds with warnings as errors (bug 1182667)
* The following CA certificates were Removed
- CN = VeriSign Class 4 Public Primary Certification Authority - G3
- CN = UTN-USERFirst-Network Applications
- CN = TC TrustCenter Universal CA III
- CN = A-Trust-nQual-03
- CN = USERTrust Legacy Secure Server CA
- Friendly Name: Digital Signature Trust Co. Global CA 1
- Friendly Name: Digital Signature Trust Co. Global CA 3
- CN = UTN - DATACorp SGC
- O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005
* The following CA certificate had the Websites trust bit turned off
- OU = Equifax Secure Certificate Authority
* The following CA certificates were Added
- CN = Certification Authority of WoSign G2
- CN = CA WoSign ECC Root
- CN = OISTE WISeKey Global Root GB CA
The full release notes, including the SHA1 fingerprints of the changed
CA certificates, are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes
The HG tag is NSS_3_21_RTM. NSS 3.21 requires NSPR 4.10.10 or newer.
NSS 3.21 source distributions are also available on ftp.mozilla.org
for secure HTTPS download:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_RTM/src/
A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.21&product=NSS
which is a minor release.
New functionality:
* certutil now supports a --rename option to change a nickname (bug 1142209)
* TLS extended master secret extension (RFC 7627) is supported (bug 1117022)
* New info functions added for use during mid-handshake callbacks (bug 1084669)
New Functions:
* NSS_OptionSet - sets NSS global options
* NSS_OptionGet - gets the current value of NSS global options
* SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name
string, module parameters string, NSS specific parameters string, and NSS
configuration parameter string. The module represented by the module
structure is not loaded. The difference with SECMOD_CreateModule is the new
function handles NSS configuration parameter strings.
* SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior
to the handshake being completed, for use with the callbacks that are invoked
during the handshake
* SSL_SignaturePrefSet - configures the enabled signature and hash algorithms
for TLS
* SSL_SignaturePrefGet - retrieves the currently configured signature and hash
algorithms
* SSL_SignatureMaxCount - obtains the maximum number signature algorithms that
can be configured with SSL_SignaturePrefSet
* NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared
library string, module name string, module parameters string, NSS specific
parameters string, and NSS configuration parameter strings. The returned
strings must be freed by the caller. The difference with
NSS_ArgParseModuleSpec is the new function handles NSS configuration
parameter strings.
* NSSUTIL_MkModuleSpecEx - take a shared library string, module name string,
module parameters string, NSS specific parameters string, and NSS
configuration parameter string and returns a module string which the caller
must free when it is done. The difference with NSS_MkModuleSpec is the new
function handles NSS configuration parameter strings.
New Types:
* CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for
CKM_TLS12_MASTER_KEY_DERIVE
* CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for
CKM_TLS12_KEY_AND_MAC_DERIVE
* CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF
* CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC
* SSLHashType - identifies a hash function
* SSLSignatureAndHashAlg - identifies a signature and hash function
* SSLPreliminaryChannelInfo - provides information about the session state
prior to handshake completion
New Macros:
* NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum RSA key size
* NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum DH key size
* NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum DSA key size
* CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret
* CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV
* CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and
ECDH) cipher suites
* CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional
PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS.
* CKM_TLS_MAC - computes TLS Finished MAC
* NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key
exchange
* SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete
DTLS record in a UDP packet
* SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid
signature and hash algorithm is available
* SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an
unsupported signature and hash algorithm is configured
* SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended
master secret is missing after having been negotiated
* SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an
extended master secret when previously not negotiated
* SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended
master secret extension (RFC 7627)
* ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a
TLS version has been selected
* ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate
that a TLS cipher suite has been selected
* ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all
preliminary information has been set
Notable Changes:
* NSS now builds with elliptic curve ciphers enabled by default (bug 1205688)
* NSS now builds with warnings as errors (bug 1182667)
* The following CA certificates were Removed
- CN = VeriSign Class 4 Public Primary Certification Authority - G3
- CN = UTN-USERFirst-Network Applications
- CN = TC TrustCenter Universal CA III
- CN = A-Trust-nQual-03
- CN = USERTrust Legacy Secure Server CA
- Friendly Name: Digital Signature Trust Co. Global CA 1
- Friendly Name: Digital Signature Trust Co. Global CA 3
- CN = UTN - DATACorp SGC
- O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005
* The following CA certificate had the Websites trust bit turned off
- OU = Equifax Secure Certificate Authority
* The following CA certificates were Added
- CN = Certification Authority of WoSign G2
- CN = CA WoSign ECC Root
- CN = OISTE WISeKey Global Root GB CA
The full release notes, including the SHA1 fingerprints of the changed
CA certificates, are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes
The HG tag is NSS_3_21_RTM. NSS 3.21 requires NSPR 4.10.10 or newer.
NSS 3.21 source distributions are also available on ftp.mozilla.org
for secure HTTPS download:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_RTM/src/
A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.21&product=NSS
Wolfgang Rosenauer
Dec 20, 2015, 5:27:51 AM12/20/15
to mozilla-dev...@lists.mozilla.org
Hi,
hmm, is this some issue just locally for me when compiling this version?
[ 98s] gcc -o Linux3.16_x86_64_cc_glibc_PTH_64_OPT.OBJ/install.o -c
-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2
-fstack-protector -funwind-tables -fasynchronous-unwind-tables -g
-fno-strict-aliasing -fPIC -DLINUX2_1 -m64 -Wall -Werror -pipe
-ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
-DXP_UNIX -DNSPR20 -DYY_NO_UNPUT -DYY_NO_INPUT -UDEBUG -DNDEBUG
-D_REENTRANT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT
-DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr4
-I../../../dist/Linux3.16_x86_64_cc_glibc_PTH_64_OPT.OBJ/include
-I../../../dist/public/sectools -I../../../dist/private/sectools
-I../../../dist/public/seccmd -I../../../dist/public/nss
-I../../../dist/public/dbm -I../../../dist/private/seccmd
-I../../../dist/private/nss -I../../../dist/private/dbm install.c
[ 98s] install.c: In function 'Pk11Install_DoInstall':
[ 98s] install.c:341:2: error: call to function
'Pk11Install_Info_init' without a real prototype
[-Werror=unprototyped-calls]
[ 98s] Pk11Install_Info_init(&installInfo);
[ 98s] ^
[ 98s] In file included from install.c:6:0:
[ 98s] install-ds.h:246:1: note: 'Pk11Install_Info_init' was declared here
[ 98s] Pk11Install_Info_init();
[ 98s] ^
[ 98s] cc1: all warnings being treated as errors
hmm, is this some issue just locally for me when compiling this version?
[ 98s] gcc -o Linux3.16_x86_64_cc_glibc_PTH_64_OPT.OBJ/install.o -c
-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2
-fstack-protector -funwind-tables -fasynchronous-unwind-tables -g
-fno-strict-aliasing -fPIC -DLINUX2_1 -m64 -Wall -Werror -pipe
-ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
-DXP_UNIX -DNSPR20 -DYY_NO_UNPUT -DYY_NO_INPUT -UDEBUG -DNDEBUG
-D_REENTRANT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT
-DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr4
-I../../../dist/Linux3.16_x86_64_cc_glibc_PTH_64_OPT.OBJ/include
-I../../../dist/public/sectools -I../../../dist/private/sectools
-I../../../dist/public/seccmd -I../../../dist/public/nss
-I../../../dist/public/dbm -I../../../dist/private/seccmd
-I../../../dist/private/nss -I../../../dist/private/dbm install.c
[ 98s] install.c: In function 'Pk11Install_DoInstall':
[ 98s] install.c:341:2: error: call to function
'Pk11Install_Info_init' without a real prototype
[-Werror=unprototyped-calls]
[ 98s] Pk11Install_Info_init(&installInfo);
[ 98s] ^
[ 98s] In file included from install.c:6:0:
[ 98s] install-ds.h:246:1: note: 'Pk11Install_Info_init' was declared here
[ 98s] Pk11Install_Info_init();
[ 98s] ^
[ 98s] cc1: all warnings being treated as errors
0 new messages