Opened 9 years ago

Closed 9 years ago

#6839 closed enhancement (fixed)

nss-3.20

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: normal Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/nss-3.20.tar.gz

https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/SHA256SUMS

5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes 

NSS 3.20 release notes
by 2 contributors:

    kaie m_t 

== Introduction ==

The NSS team has released Network Security Services (NSS) 3.20, which is
a minor release.

== Distribution Information ==

The HG tag is NSS_3_20_RTM. NSS 3.20 requires NSPR 4.10.8 or newer.

== New in NSS 3.20 ==

New Functionality

   • The TLS library has been extended to support DHE ciphersuites in
     server applications.

New Functions

   • in ssl.h
       ◦ SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE
         group parameters that can be used by NSS for a server socket.
       ◦ SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group
         parameters that are smaller than the library default's minimum
         size.

New Types

   • in sslt.h
       ◦ SSLDHEGroupType - Enumerates the set of DHE parameters embedded
         in NSS that can be used with function SSL_DHEGroupPrefSet

New Macros

   • in ssl.h
       ◦ SSL_ENABLE_SERVER_DHE - A socket option user to enable or
         disable DHE ciphersuites for a server socket

== Notable Changes in NSS 3.20 ==

   • The TLS library has been extended to support DHE ciphersuites in
     server applications.
   • For backwards compatibility reasons, the server side implementation
     of the TLS library keeps all DHE ciphersuites disabled by default.
     They can be enabled with the new socket option
     SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the
     SSL_OptionSetDefault API.
   • The server side implementation of the TLS implementation does not
     support session tickets when using a DHE ciphersuite (see bug
     1174677).
   • Support for the following ciphersuites has been added:
       ◦ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
       ◦ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
       ◦ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
   • By default, the server side TLS implementation will use DHE
     parameters with a size of 2048 bits when using DHE ciphersuites.
   • NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and
     8192 bits, which were copied from version 08 of the Internet-Draft
     "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
     TLS", Appendix A.
   • A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a
     server application to select one or multiple of the embedded DHE
     parameters as the preferred parameters. The current implementation
     of NSS will always use the first entry in the array that is passed
     as a parameter to the SSL_DHEGroupPrefSet API. In future versions
     of the TLS implementation, a TLS client might signal a preference
     for certain DHE parameters, and the NSS TLS server side
     implementation might select a matching entry from the set of
     parameters that have been configured as preferred on the server
     side.
   • NSS optionally supports the use of weak DHE parameters with DHE
     ciphersuites to support legacy clients. In order to enable this
     support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each
     time this API is called for the first time in a process, a fresh
     set of weak DHE parameters will be randomly created, which may take
     a long amount of time. Please refer to the comments in the header
     file that declares the SSL_EnableWeakDHEPrimeGroup API for
     additional details.
   • The size of the default PQG parameters used by certutil when
     creating DSA keys has been increased to use 2048 bit parameters.
   • The selfserv utility has been enhanced to support the new DHE
     features.
   • NSS no longer supports C compilers that predate the ANSI C standard
     (C89).

== Bugs fixed in NSS 3.20 ==

This Bugzilla query returns all the bugs fixed in NSS 3.20:

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.20

== Compatibility ==

NSS 3.20 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries
will work with NSS 3.20 shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.

Change History (4)

comment:1 by Fernando de Oliveira, 9 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

Ticket Summary

comment:2 by Fernando de Oliveira, 9 years ago

Owner: changed from Fernando de Oliveira to blfs-book@…
Status: assignednew

comment:3 by Fernando de Oliveira, 9 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:4 by Fernando de Oliveira, 9 years ago

Resolution: fixed
Status: assignedclosed

fixed at r16355.

Note: See TracTickets for help on using tickets.