#9005 closed enhancement (fixed)
nss-3.30
| Reported by: | Douglas R. Reno | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 8.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version
New in NSS 3.30 New Functionality In the PKCS#11 root CA module (nssckbi), CAs with positive trust are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY, set to true. Applications that need to distinguish them from other other root CAs may use the exported function PK11_HasAttributeSet. Support for callback functions that can be used to monitor SSL/TLS alerts that are sent or received. New Functions in cert.h CERT_CompareAVA - performs a comparison of two CERTAVA structures, and returns a SECComparison result. in pk11pub.h PK11_HasAttributeSet - allows to check if a PKCS#11 object in a given slot has a specific boolean attribute set. in ssl.h SSL_AlertReceivedCallback - register a callback function that will be called whenever an SSL/TLS alert is received SSL_AlertSentCallback - register a callback function that will be called whenever an SSL/TLS alert is sent SSL_SetSessionTicketKeyPair - configures an asymmetric key pair for use in wrapping session ticket keys, used by the server. This function currently only accepts an RSA public/private key pair. New Macros in ciferfam.h PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256 - cipher family identifiers corresponding to the PKCS#5 v2.1 AES based encryption schemes used in the PKCS#12 support in NSS in pkcs11n.h CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11 attribute, that should be set to true, if a CA is present because of it's acceptance according to the Mozilla CA Policy Notable Changes in NSS 3.30EDIT The TLS server code has been enhanced to support session tickets when no RSA certificate (e.g. only an ECDSA certificate) is configured. RSA-PSS signatures produced by key pairs with a modulus bit length that is not a multiple of 8 are now supported. The pk12util tool now supports importing and exporting data encrypted in the AES based schemes defined in PKCS#5 v2.1. Bugs fixed in NSS 3.30EDIT This Bugzilla query returns all the bugs fixed in NSS 3.30: https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.30 Compatibility NSS 3.30 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.30 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Change History (5)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.
According to the above, we need not change anything WRT our CA setup. When p11-kit is next updated, if functionality for PK11_HasAttributeSet is included, then we'll need to account for it in the shared DB (not sure how yet, I guess have to add another function for CKA_NSS_MOZILLA_CA_POLICY, though it should be consistent with any positive trust), but anyway, for now we are all good to update.