Source code

Revision control

Copy as Markdown

Other Tools

.. _mozilla_projects_nss_nss_3_12_release_notes_html:
NSS_3.12_release_notes.html
===========================
.. _nss_3.12_release_notes:
`NSS 3.12 Release Notes <#nss_3.12_release_notes>`__
----------------------------------------------------
.. container::
.. _17_june_2008:
`17 June 2008 <#17_june_2008>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
`Contents <#contents>`__
~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- `Introduction <#introduction>`__
- `Distribution Information <#distribution_information>`__
- `New in NSS 3.12 <#new_in_nss_3.12>`__
- `Bugs Fixed <#bugs_fixed>`__
- `Documentation <#documentation>`__
- `Compatibility <#compatibility>`__
- `Feedback <#feedback>`__
--------------
`Introduction <#introduction>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Network Security Services (NSS) 3.12 is a minor release with the following new features:
- SQLite-Based Shareable Certificate and Key Databases
- libpkix: an RFC 3280 Compliant Certificate Path Validation Library
- Camellia cipher support
- TLS session ticket extension (RFC 5077)
NSS 3.12 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
Note: Firefox 3 uses NSS 3.12, but not the new SQLite-based shareable certificate and key
databases. We missed the deadline to enable that feature in Firefox 3.
--------------
`Distribution Information <#distribution_information>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
The CVS tag for the NSS 3.12 release is NSS_3_12_RTM. NSS 3.12 requires `NSPR
See the `Documentation <#docs>`__ section for the build instructions.
NSS 3.12 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS
download:
- Source tarballs:
- Binary distributions:
optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT
(optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12
directory containing three subdirectories:
- include - NSS header files
- lib - NSS shared libraries
programs
You also need to download the NSPR 4.7.1 binary distributions to get the NSPR 4.7.1 header files
and shared libraries, which NSS 3.12 requires. NSPR 4.7.1 binary distributions are in
NSS 3.12 libraries have the following versions:
- sqlite3: 3.3.17
- nssckbi: 1.70
- softokn3 and freebl3: 3.12.0.3
- other NSS libraries: 3.12.0.3
--------------
.. _new_in_nss_3.12:
`New in NSS 3.12 <#new_in_nss_3.12>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- 3 new shared library are shipped with NSS 3.12:
- nssutil
- sqlite
- nssdbm
- 1 new include file is shipped with NSS3.12:
- utilrename.h
- New functions in the nss shared library:
- CERT_CheckNameSpace (see cert.h)
- CERT_EncodeCertPoliciesExtension (see cert.h)
- CERT_EncodeInfoAccessExtension (see cert.h)
- CERT_EncodeInhibitAnyExtension (see cert.h)
- CERT_EncodeNoticeReference (see cert.h)
- CERT_EncodePolicyConstraintsExtension (see cert.h)
- CERT_EncodePolicyMappingExtension (see cert.h)
- CERT_EncodeSubjectKeyID (see certdb/cert.h)
- CERT_EncodeUserNotice (see cert.h)
- CERT_FindCRLEntryReasonExten (see cert.h)
- CERT_FindCRLNumberExten (see cert.h)
- CERT_FindNameConstraintsExten (see cert.h)
- CERT_GetClassicOCSPDisabledPolicy (see cert.h)
- CERT_GetClassicOCSPEnabledHardFailurePolicy (see cert.h)
- CERT_GetClassicOCSPEnabledSoftFailurePolicy (see cert.h)
- CERT_GetPKIXVerifyNistRevocationPolicy (see cert.h)
- CERT_GetUsePKIXForValidation (see cert.h)
- CERT_GetValidDNSPatternsFromCert (see cert.h)
- CERT_NewTempCertificate (see cert.h)
- CERT_SetOCSPTimeout (see certhigh/ocsp.h)
- CERT_SetUsePKIXForValidation (see cert.h)
- CERT_PKIXVerifyCert (see cert.h)
- HASH_GetType (see sechash.h)
- NSS_InitWithMerge (see nss.h)
- PK11_CreateMergeLog (see pk11pub.h)
- PK11_CreateGenericObject (see pk11pub.h)
- PK11_CreatePBEV2AlgorithmID (see pk11pub.h)
- PK11_DestroyMergeLog (see pk11pub.h)
- PK11_GenerateKeyPairWithOpFlags (see pk11pub.h)
- PK11_GetPBECryptoMechanism (see pk11pub.h)
- PK11_IsRemovable (see pk11pub.h)
- PK11_MergeTokens (see pk11pub.h)
- PK11_WriteRawAttribute (see pk11pub.h)
- SECKEY_ECParamsToBasePointOrderLen (see keyhi.h)
- SECKEY_ECParamsToKeySize (see keyhi.h)
- SECMOD_DeleteModuleEx (see secmod.h)
- SEC_GetRegisteredHttpClient (see ocsp.h)
- SEC_PKCS5IsAlgorithmPBEAlgTag (see secpkcs5.h)
- VFY_CreateContextDirect (see cryptohi.h)
- VFY_CreateContextWithAlgorithmID (see cryptohi.h)
- VFY_VerifyDataDirect (see cryptohi.h)
- VFY_VerifyDataWithAlgorithmID (see cryptohi.h)
- VFY_VerifyDigestDirect (see cryptohi.h)
- VFY_VerifyDigestWithAlgorithmID (see cryptohi.h)
- New macros for Camellia support (see blapit.h):
- NSS_CAMELLIA
- NSS_CAMELLIA_CBC
- CAMELLIA_BLOCK_SIZE
- New macros for RSA (see blapit.h):
- RSA_MAX_MODULUS_BITS
- RSA_MAX_EXPONENT_BITS
- New macros in certt.h:
- X.509 v3
- KU_ENCIPHER_ONLY
- CERT_MAX_SERIAL_NUMBER_BYTES
- CERT_MAX_DN_BYTES
- PKIX
- CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD
- CERT_REV_M_TEST_USING_THIS_METHOD
- CERT_REV_M_ALLOW_NETWORK_FETCHING
- CERT_REV_M_FORBID_NETWORK_FETCHING
- CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
- CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
- CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
- CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
- CERT_REV_M_IGNORE_MISSING_FRESH_INFO
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
- CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
- CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY
- CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
- CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT
- CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
- CERT_POLICY_FLAG_NO_MAPPING
- CERT_POLICY_FLAG_EXPLICIT
- CERT_POLICY_FLAG_NO_ANY
- CERT_ENABLE_LDAP_FETCH
- CERT_ENABLE_HTTP_FETCH
- New macro in utilrename.h:
- SMIME_AES_CBC_128
- The nssckbi PKCS #11 module's version changed to 1.70.
- In pkcs11n.h, all the \_NETSCAPE\_ macros are renamed with \_NSS\_
- For example, CKO_NETSCAPE_CRL becomes CKO_NSS_CRL.
- New for PKCS #11 (see pkcs11t.h for details):
- CKK: Keys
- CKK_CAMELLIA
- CKM: Mechanisms
- CKM_SHA224_RSA_PKCS
- CKM_SHA224_RSA_PKCS_PSS
- CKM_SHA224
- CKM_SHA224_HMAC
- CKM_SHA224_HMAC_GENERAL
- CKM_SHA224_KEY_DERIVATION
- CKM_CAMELLIA_KEY_GEN
- CKM_CAMELLIA_ECB
- CKM_CAMELLIA_CBC
- CKM_CAMELLIA_MAC
- CKM_CAMELLIA_MAC_GENERAL
- CKM_CAMELLIA_CBC_PAD
- CKM_CAMELLIA_ECB_ENCRYPT_DATA
- CKM_CAMELLIA_CBC_ENCRYPT_DATA
- CKG: MFGs
- CKG_MGF1_SHA224
- New error codes (see secerr.h):
- SEC_ERROR_NOT_INITIALIZED
- SEC_ERROR_TOKEN_NOT_LOGGED_IN
- SEC_ERROR_OCSP_RESPONDER_CERT_INVALID
- SEC_ERROR_OCSP_BAD_SIGNATURE
- SEC_ERROR_OUT_OF_SEARCH_LIMITS
- SEC_ERROR_INVALID_POLICY_MAPPING
- SEC_ERROR_POLICY_VALIDATION_FAILED
- SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE
- SEC_ERROR_BAD_HTTP_RESPONSE
- SEC_ERROR_BAD_LDAP_RESPONSE
- SEC_ERROR_FAILED_TO_ENCODE_DATA
- SEC_ERROR_BAD_INFO_ACCESS_LOCATION
- SEC_ERROR_LIBPKIX_INTERNAL
- New mechanism flags (see secmod.h)
- PUBLIC_MECH_AES_FLAG
- PUBLIC_MECH_SHA256_FLAG
- PUBLIC_MECH_SHA512_FLAG
- PUBLIC_MECH_CAMELLIA_FLAG
- New OIDs (see secoidt.h)
- new EC Signature oids
- SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST
- SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST
- SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE
- SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE
- SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE
- SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE
- More id-ce and id-pe OIDs from RFC 3280
- SEC_OID_X509_HOLD_INSTRUCTION_CODE
- SEC_OID_X509_DELTA_CRL_INDICATOR
- SEC_OID_X509_ISSUING_DISTRIBUTION_POINT
- SEC_OID_X509_CERT_ISSUER
- SEC_OID_X509_FRESHEST_CRL
- SEC_OID_X509_INHIBIT_ANY_POLICY
- SEC_OID_X509_SUBJECT_INFO_ACCESS
- Camellia OIDs (RFC3657)
- SEC_OID_CAMELLIA_128_CBC
- SEC_OID_CAMELLIA_192_CBC
- SEC_OID_CAMELLIA_256_CBC
- PKCS 5 V2 OIDS
- SEC_OID_PKCS5_PBKDF2
- SEC_OID_PKCS5_PBES2
- SEC_OID_PKCS5_PBMAC1
- SEC_OID_HMAC_SHA1
- SEC_OID_HMAC_SHA224
- SEC_OID_HMAC_SHA256
- SEC_OID_HMAC_SHA384
- SEC_OID_HMAC_SHA512
- SEC_OID_PKIX_TIMESTAMPING
- SEC_OID_PKIX_CA_REPOSITORY
- SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE
- Changed OIDs (see secoidt.h)
- SEC_OID_PKCS12_KEY_USAGE changed to SEC_OID_BOGUS_KEY_USAGE
- SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST changed to
SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE
- Note: SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST is also kept for compatibility
reasons.
- TLS Session ticket extension (off by default)
- See SSL_ENABLE_SESSION_TICKETS in ssl.h
- New SSL error codes (see sslerr.h)
- SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT
- SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT
- SSL_ERROR_UNRECOGNIZED_NAME_ALERT
- SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT
- SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT
- SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET
- SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET
- New TLS cipher suites (see sslproto.h):
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- Note: the following TLS cipher suites are declared but are not yet implemented:
- TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
- TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA
- TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
- TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
- TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA
- TLS_ECDH_anon_WITH_NULL_SHA
- TLS_ECDH_anon_WITH_RC4_128_SHA
- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
- TLS_ECDH_anon_WITH_AES_128_CBC_SHA
- TLS_ECDH_anon_WITH_AES_256_CBC_SHA
--------------
.. _bugs_fixed:
`Bugs Fixed <#bugs_fixed>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
The following bugs have been fixed in NSS 3.12.
returns pointer to a freed memory if the function fails to allocate a lock
debug output into stderr
freed after use.
pkix_pl_OcspRequest_Destroy
tests.
memory
uninitialized variable in ckfw/object.c(174)
uninitialized variable in ckfw/mechanism.c(719)
failure in legacydb
mozilla/security/nss/cmd/pk11util/scripts/pkey a binary file
dependency from NSS to Softoken
certificate(s) to NSS
by more than two days, OSCP check fails, can result in crash if user tries to view certificate
[[@ SECITEM_CompareItem_Util] [[@ memcmp]
print all the GeneralNames in a CRLDP extension
erroneous comments in DER_AsciiToTime
crashes in NSS_shutdown
statements in ec_GF2m_pt_mul_mont
these crmf\_ symbols
pkix_pl_OcspRequest_Create can leave some members uninitialized
CERT_FindUserCertByUsage() returns wrong certificate if multiple certs with same subject
available
sftkdb_ReadSecmodDB() (sftkmod.c)
specify OCSP timeout
Cipher Suites to TLS RFC4132
needs to get the key usage from the caller.
Integrity checks not yet implemented.
implementation slow
implementation really slow on network file systems
update fails if user opens database R/W but never supplies a password
updated when passwords are changed.
tests
SEC_BEGIN_PROTOS / SEC_END_PROTOS are undefined
NSPR rotate macros
obsolete
empty explicitly for WIN95 and WINCE builds
returns a non-NULL pointer if the allocation of its 'data' buffer fails
unnamed null pointer argument to CERT_CreateRDN
cause Empty declaration compiler warnings
flag -Werror-implicit-function-declaration
to detect SHA tests that are incorrectly configured for BIT oriented implementations
RNG_SystemInfoForRNG calls GetCurrentProcess, which returns the constant (HANDLE)-1.
ReadSystemFiles reads 21 files as opposed to 10 files in C:\WINDOWS\system32.
USE_PTHREADS related code in coreconf/SunOS5.mk.
USE_PTHREADS related code in coreconf/HP-UX*.mk.
function prototypes of SSL handshake callbacks
compiler warnings in nss/cmd
stand-alone.
to security/nss/lib/freebl/mpi/mp_comba.c
returns SECSuccess on invalid arguments
sha512.c, and use SEC_BEGIN_PROTOS/SEC_END_PROTOS in secport.h
makefile target in lib/softoken and lib/softoken/legacydb
Cert_NewTempCertificate.
big integer, not ulong
function tests into a single statically linked program
and AIA extensions to certutil
calls CERT_VerifyCert
back to trunk
in VFY_VerifyDigestDirect
returns error when try to get an ocsp response.
undefined reference to \`_imp__PKIX_ERRORNAMES'
decoding/encoding while creating and using PKIX_PL_X500Name
to get certs using AIA url with OCSP access method
cert validation failures discovered from running vfyserv
cached cert chain for revocation
validation when no valid CRL (NIST validation policy is always enforced)
time override
functions must validate leaf cert themselves
errors are reported as PKIX ALLOC ERROR
should be able to use libPKIX
for object ref leak at shutdown
called by nssinit.c
ocspclnt/PKIX.
pkix_pl_HttpCertStore_ProcessCertResponse is unable to process certs in DER format
critical NetscapeCertType extensions in libPKIX
not call NSS_Init
creates links to nonexistant shared libraries and breaks windows build
init.
validate cert for certUsageStatusResponder
in PKIX_PL_HashTable_Add cause selfserv to crash.
public header files in NSS 3.12
crashes when PKIX enabled.
after having called CERT_PKIXVerifyCert
verify
seem to work.
code into nss error code
validates chain to root not in the caller-provided anchor list
pointed by CERTValOutParam array in case of error
leaks hashtable key object
pkix_CheckCert function
boilerplate in all new PKIX code
supported in libpkix must be marked supported
forks on all unix-ish platforms
CERTNameConstraintsTemplate is incorrect
policy extension
pkix_OcspChecker_Check
NSS's override trust flags
never succeeds
extensions to certutil
SECU_ParseCommandLine
dotted OID format to/from octet representation
routinely sets VALID_PEER or VALID_CA OVERRIDE trust flags
chain when root CA cert has no basic constraints
string number type to pkix error number types
key3.db with no global salt as having no password
1.3.14.3.2.29 causes sec_error_bad_signature, 3.11 ignores it
return a false match
revocation test on ppc/ppc64 NSS_ENABLE_PKIX_VERIFY=1
invalid pointer
extensions not supported
interfaces to deal with multiple token sources of certs.
cannot be shared between multiple processes
for certificate path building and verification for libPKIX
problems (intel)
for Shared Databases
pkcs7 code from pkix_pl_httpcertstore.c
modify and create new PKCS #11 objects.
fails if CRLs are missing, implement cert_pi_revocationFlags
passwordmgr tests
undetected by tinderbox
memory inefficient
cert_CompareNameWithConstraints a non-static function
p7sign
CRL names
NSC_DigestKey] Dereferencing possibly NULL att
for invalid requests
Pointer Dereference in CERT_CertChainFromCert
ptr derefs in CERT_FormatName
ptr deref in nssCertificateList_DoCallback
uninitialized pointer in CERT_FindCertURLExtension
deref in nssCryptokiPrivateKey_SetCertificate
nss/lib/pk11wrap/dev3hack.c
dereferences in instance.c
memory leak in mpp_make_prime
dereference in ocsp_DecodeResponseBytes
dereferences in pki3hack.c
dereference in p7decode.c
dereferences in pk11cert.c
dereferences in pk11nobj.c
dereferences in pk11obj.c
dereferences in pkcs11.c
in softoken/pk11db.c
ssl3con.c
in pki/pkibase.c
stanpcertdb.c
softoken/keydb.c
tdcache.c
before NULL check in devutil.c
lib/ckfw
shutdown failure
signature in libpkix without decoding and reencoding
validate a chain that consists only of one self issued, trusted cert
pkix_pl_OcspRequest_Create throws an error if it was not able to get AIA location
uses user object types
a macro calls a function that returns an error
for creating an object leak if subsequent function code produces an error
pkix_pl_Pk11CertStore_CrlQuery will crash if fails to acquire DP cache.
user defined revocation checkers
pkix_pl_LdapCertStore_BuildCrlList should not fail if a crl fails to be decoded
leaks a test certificate
is unhelpful
size-optimized in browser builds on Linux, Windows, and Mac
in public NSS headers
PK11_FindCertFromNickname should be const.
description is empty
might have a leak
in NSS Libraries
shared library
Entry reason code has incorrect prototype and implementation
the CRL cache for libpkix
nssCKFWCryptoOperation_UpdateCombo is not declared
read-only for some options
give 1% improvement in RSA performance on amd64
modutil
generate SubjectKeyID extension
pk11_config_strings leaked on shutdown
on win64
message the gmt_unix_time is incorrect
with studio 12 compiler
leaked on shutdown
certvfypkix.c, turn off EV_TEST_HACK
not defined in any public header file
extract certs from p12 file
distinguished name attributes with wrong string type
passes uninitialized variables to functions
truncate existing temporary files when writing them
file with colon in friendlyName not selectable for signing/encryption
to import bags without nicknames
files in nss/cmd/sslsample
name from key, not cert
SECMOD_HANDLE_STRING_ARG called in loop
in secasn1d.c
function names in fipstest
tracker code in DEBUG builds only
incorrect algorithm
AES
Windows
incorrect output for dates 1950-1970
badly, display as !INVALID AVA!
option when -p option is present
session ticket extension (STE)
that outputs all host names for DNS name matching
test_buildchain_resourcelimits won't build
dereference in PKCS12 decoder
GFP_POPULATE should check the ecCurve_map array index bounds before use
plain text for NULL cipher suites
exponent as negative number
take cert from specified file
DBM code
(security/nss/lib/jar/jarver.c)
security/nss/lib/jar/jarfile.c
JAR_JAR_sign_archive (security/nss/lib/jar/jarjart.c)
mozilla/security/nss/lib/jar
code from mozilla/security/lib/jar
should be C++ safe
document certutil -C -a
for lib/certdb and lib/certhigh
should be an unsigned long constant.
compiler support from NSS
give enough information about trust arguments
create_objects_from_handles
PK11_FindCertFromDERSubjectAndNickname is dead code
solaris due to extra semicolon in SEC_ASN1_MKSUB
joined on exit
bltest
expired in August 2004 from tree
crmf_encode_popoprivkey
sysDir filenames causes problems on OS/2
request a certificate with an existing key
to cmd/symkeyutil
usage(s) for certutil's -V -u option
mozilla/dbm
accept all valid values
should be improved and documented
work with Softoken
verify for specific date
generator isn't very efficient
wrongly uses the term database
Windows Vista
NSS tools that print public keys
bugs
check of out it in JAR_find_next
operations.
PK11_ParamToAlgid() in mozilla/security/nss/lib/pk11wrap/pk11mech.c
allocates and leaks sha1cx
SFTK_DestroySlotData uses slot->slotLock then checks it for NULL
crash in ecgroup_fromNameAndHex
files from other NSS directories
NSS_ENABLE_ECC defines from manifest.mn
from lib/freebl
memory read in nssPKIObjectCollection_AddInstances
certutil's default DSA prime is only 512 bits
DEADCODE in SECITEM_AllocItem loser
certutil
comment
SECMOD_DeleteModuleEx
NSS_ENABLE_ECC is not defined
lost when changing Master Password
CERT_PKIXVerifyCert
find sqlite3.dll
bogus trust flags
--------------
`Documentation <#documentation>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
For a list of the primary NSS documentation pages on mozilla.org, see `NSS
Documentation <../index.html#Documentation>`__. New and revised documents available since the
release of NSS 3.11 include the following:
- :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`
- :ref:`mozilla_projects_nss_reference_nss_environment_variables`
--------------
`Compatibility <#compatibility>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
NSS 3.12 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.12 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain
compatible with future versions of the NSS shared libraries.
--------------
`Feedback <#feedback>`__
~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Bugs discovered should be reported by filing a bug report with `mozilla.org
Bugzilla <https://bugzilla.mozilla.org/>`__\ (product NSS).