nss-3.27.1

[Douglas R. Reno]

New minor version - released to fix an accidental API break.

Currency script picked it up as the OpenSSL-1.1.0 ticket (query = nss?)

New in NSS 3.27.1
New Functionality

No new functionality is introduced in this release. This is a patch release to address a TLS compatibility issue that some applications experienced with NSS 3.27.

Notable Changes in NSS 3.27.1
Availability of the TLS 1.3 (draft) implementation has been re-disabled in the default build.

Previous versions of NSS made TLS 1.3 (draft) available only when compiled with NSS_ENABLE_TLS_1_3. NSS 3.27 set this value on by default, allowing TLS 1.3 (draft) to be disabled using NSS_DISABLE_TLS_1_3, although the maximum version used by default remained TLS 1.2.

However, some applications query the list of protocol versions that are supported by the NSS library, and enable all supported TLS protocol versions. Because NSS 3.27 enabled compilation of TLS 1.3 (draft) by default, it caused those applications to enable TLS 1.3 (draft). This resulted in connectivity failures, as some TLS servers are version 1.3 intolerant, and failed to negotiate an earlier TLS version with NSS 3.27 clients.

NSS 3.27.1 once again requires NSS_ENABLE_TLS_1_3 to be set to enable TLS 1.3 (draft).

Bugs fixed in NSS 3.27.1
The following bug has been fixed in NSS 3.27.1: Re-disable TLS 1.3 by default

Compatibility
NSS 3.27.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.27.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.

[Douglas R. Reno]

While googling, I found that this is the cause of some issues in Firefox, specifically with connecting to "TLS 1.1 intolerant" websites.

[bdubbs@…]

Fixed at revision 17851.

[bdubbs@…]

Milestone renamed