Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#9005 closed enhancement (fixed)


Reported by: Douglas R. Reno Owned by: bdubbs@…
Priority: normal Milestone: 8.1
Component: BOOK Version: SVN
Severity: normal Keywords:


New minor version

New in NSS 3.30
New Functionality

In the PKCS#11 root CA module (nssckbi), CAs with positive trust are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY, set to true. Applications that need to distinguish them from other other root CAs may use the exported function PK11_HasAttributeSet.
Support for callback functions that can be used to monitor SSL/TLS alerts that are sent or received.
New Functions

in cert.h
CERT_CompareAVA - performs a comparison of two CERTAVA structures, and returns a SECComparison result.
in pk11pub.h
PK11_HasAttributeSet - allows to check if a PKCS#11 object in a given slot has a specific boolean attribute set.
in ssl.h
SSL_AlertReceivedCallback - register a callback function that will be called whenever an SSL/TLS alert is received
SSL_AlertSentCallback - register a callback function that will be called whenever an SSL/TLS alert is sent
SSL_SetSessionTicketKeyPair - configures an asymmetric key pair for use in wrapping session ticket keys, used by the server. This function currently only accepts an RSA public/private key pair.
New Macros

in ciferfam.h
PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256 - cipher family identifiers corresponding to the PKCS#5 v2.1 AES based encryption schemes used in the PKCS#12 support in NSS
in pkcs11n.h
CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11 attribute, that should be set to true, if a CA is present because of it's acceptance according to the Mozilla CA Policy
Notable Changes in NSS 3.30EDIT
The TLS server code has been enhanced to support session tickets when no RSA certificate (e.g. only an ECDSA certificate) is configured.
RSA-PSS signatures produced by key pairs with a modulus bit length that is not a multiple of 8 are now supported.
The pk12util tool now supports importing and exporting data encrypted in the AES based schemes defined in PKCS#5 v2.1.
Bugs fixed in NSS 3.30EDIT
This Bugzilla query returns all the bugs fixed in NSS 3.30:

NSS 3.30 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.30 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.

Change History (5)

comment:1 by DJ Lucas, 7 years ago

According to the above, we need not change anything WRT our CA setup. When p11-kit is next updated, if functionality for PK11_HasAttributeSet is included, then we'll need to account for it in the shared DB (not sure how yet, I guess have to add another function for CKA_NSS_MOZILLA_CA_POLICY, though it should be consistent with any positive trust), but anyway, for now we are all good to update.

comment:2 by bdubbs@…, 7 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:3 by bdubbs@…, 7 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 18500.

comment:4 by bdubbs@…, 7 years ago

Milestone: 8.1m8.1

Milestone renamed

comment:5 by bdubbs@…, 7 years ago

Milestone: m8.18.1

Milestone renamed

Note: See TracTickets for help on using tickets.