Source code
Revision control
Copy as Markdown
Other Tools
.. _mozilla_projects_nss_nss_3_12_5_release_notes:
NSS 3.12.5 release_notes
========================
.. _nss_3.12.5_release_notes:
`NSS 3.12.5 release notes <#nss_3.12.5_release_notes>`__
--------------------------------------------------------
.. container::
.. container::
2009-12-02
--------------
.. container::
:name: section_1
.. rubric:: Introduction
:name: Introduction
Network Security Services (NSS) 3.12.5 is a patch release for NSS 3.12. The bug fixes in
NSS 3.12.5 are described in the "`Bugs
NSS 3.12.5 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
.. container::
:name: section_2
.. rubric:: Distribution Information
:name: Distribution_Information
The CVS tag for the NSS 3.12.5 release is ``NSS_3_12_5_RTM``.
You can check out the source from CVS by
.. note::
cvs co -r NSPR_4_8_RTM NSPR
cvs co -r NSS_3_12_5_RTM NSS
for the build instructions.
NSS 3.12.5 source is also available on ``ftp.mozilla.org`` for secure HTTPS download:
- Source tarball:
.. container::
:name: section_3
.. rubric:: New in NSS 3.12.5
:name: New_in_NSS_3.12.5
.. container::
:name: section_4
.. rubric:: SSL3 & TLS Renegotiation Vulnerability
:name: SSL3_TLS_Renegotiation_Vulnerability
this security vulnerability.
All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs
that attempt to perform renegotiation to experience failures where they formerly
experienced successes, and is necessary for them to not be vulnerable, until such time
as a new safe renegotiation scheme is standardized by the IETF.
If an application depends on renegotiation feature, it can be enabled by setting the
environment variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental
variable, the fix provided by these patches will have no effect and the application may
become vulnerable to the issue.
This default setting can also be changed within the application by using the following
existing API functions:
-
- SECStatus SSL_OptionSet(PRFileDesc \*fd, PRInt32 option, PRBool on)
- SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on)
- There is now a new value for "option", which is:
- SSL_ENABLE_RENEGOTIATION
The corresponding new values for SSL_ENABLE_RENEGOTIATION are:
- SSL_RENEGOTIATE_NEVER: Never renegotiate at all (default).
- SSL_RENEGOTIATE_UNRESTRICTED: Renegotiate without restriction, whether or not the
peer's client hello bears the renegotiation info extension (as we always did in
the past). **UNSAFE**.
.. container::
:name: section_5
.. rubric:: TLS compression
:name: TLS_compression
- Enable TLS compression with:
- SSL_ENABLE_DEFLATE: Enable TLS compression with DEFLATE. Off by default. (See
ssl.h)
Error codes:
- SSL_ERROR_DECOMPRESSION_FAILURE (see sslerr.h)
- SSL_ERROR_RENEGOTIATION_NOT_ALLOWED (see sslerr.h)
.. container::
:name: section_6
.. rubric:: New context initialization and shutdown functions
:name: New_context_initialization_and_shutdown_functions
- See nss.h for details. The 2 new functions are:
- NSS_InitContext
- NSS_ShutdownContext
Parameters for these functions are used to initialize softoken. These are mostly
strings used to internationalize softoken. Memory for the strings are owned by the
caller, who is free to free them once NSS_ContextInit returns. If the string
parameter is NULL (as opposed to empty, zero length), then the softoken default is
used. These are equivalent to the parameters for PK11_ConfigurePKCS11().
See the following struct in nss.h for details:
- NSSInitParametersStr
.. container::
:name: section_7
.. rubric:: Other new functions
:name: Other_new_functions
- *In secmod.h:*
- SECMOD_GetSkipFirstFlag
- SECMOD_GetDefaultModDBFlag
*In prlink.h*
- NSS_SecureMemcmp
- PORT_LoadLibraryFromOrigin
.. container::
:name: section_8
.. rubric:: Modified functions
:name: Modified_functions
- SGN_Update (see cryptohi.h)
- The parameter "input" of this function is changed from *unsigned char \** to
*const unsigned char \**.
- PK11_ConfigurePKCS11 (see nss.h)
- The name of some parameters have been slightly changed ("des" became "desc").
.. container::
:name: section_9
.. rubric:: Deprecated headers
:name: Deprecated_headers
- The header file key.h is deprecated. Please use keyhi.h instead.
.. container::
:name: section_10
.. rubric:: Additional documentation
:name: Additional_documentation
- *In pk11pub.h:*
- The caller of PK11_DEREncodePublicKey should free the returned SECItem with a
SECITEM_FreeItem(..., PR_TRUE) call.
- PK11_ReadRawAttribute allocates the buffer for returning the attribute value. The
caller of PK11_ReadRawAttribute should free the data buffer pointed to by item
using a SECITEM_FreeItem(item, PR_FALSE) or PORT_Free(item->data) call.
*In secasn1.h:*
- If both pool and dest are NULL, the caller should free the returned SECItem with a
SECITEM_FreeItem(..., PR_TRUE) call. If pool is NULL but dest is not NULL, the
caller should free the data buffer pointed to by dest with a
SECITEM_FreeItem(dest, PR_FALSE) or PORT_Free(dest->data) call.
.. container::
:name: section_11
.. rubric:: Environment variables
:name: Environment_variables
- NSS_FIPS
- Will start NSS in FIPS mode.
- NSS_SSL_ENABLE_RENEGOTIATION
- NSS_SSL_REQUIRE_SAFE_NEGOTIATION
- See SSL3 & TLS Renegotiation Vulnerability.
.. container::
:name: section_12
.. rubric:: Bugs Fixed
:name: Bugs_Fixed
The following bugs have been fixed in NSS 3.12.5.
variable DSO_LDFLAGS
build numbers (4th component of version number) to nssutil.h
fails to compile on FreeBSD/powerpc
softoken, looking for sqlite3.dll
cipher suites implemented in Windows 7 to ssltap
fails, it leaves the certificate undiscoverable by CERT_PKIXVerifyCert
PK11_ImportAndReturnPrivateKey leaks an arena
PK11_DEREncodePublicKey leaks a CERTSubjectPublicKeyInfo
SECKEY_EncodeDERSubjectPublicKeyInfo and PK11_DEREncodePublicKey are duplicate
comments to key.h and pk11func.h
PORT_Memcmp for comparing secret data.
against ssl3ext.c:ssl3_ServerHandleSessionTicketXtn()
Renegotiation Vulnerability
.. container::
:name: section_13
.. rubric:: Documentation
:name: Documentation
For a list of the primary NSS documentation pages on mozilla.org, see `NSS
and revised documents available since the release of NSS 3.11 include the following:
.. container::
:name: section_14
.. rubric:: Compatibility
:name: Compatibility
NSS 3.12.5 shared libraries are backward compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.5
shared libraries without recompiling or relinking. Furthermore, applications that restrict
their use of NSS APIs to the functions listed in `NSS Public
remain compatible with future versions of the NSS shared libraries.
.. container::
:name: section_15
.. rubric:: Feedback
:name: Feedback
Bugs discovered should be reported by filing a bug report with `mozilla.org
This document was generated by *genma teruaki* on *November 28, 2010* using `texi2html