[ANNOUNCE] NSS 3.24 Release

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[ANNOUNCE] NSS 3.24 Release

Kai Engert-4
The NSS team has released Network Security Services (NSS) 3.24, which is 
a minor release.

Below is a short summary of the changes.
Please refer to the full release notes for additional details.

New functionality:
* NSS softoken has been updated with the latest NIST guidance (as of 2015)
* NSS softoken has also been updated to allow NSS to run in FIPS level-1 
  (no password).
* SSL_ConfigServerCert function has been added for configuring SSL/TLS 
  server sockets with a certificate and private key. This method should be 
  used in preference to SSL_ConfigSecureServer,
  SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and
  SSL_SetSignedCertTimestamps.
* Added PORTCheapArena for temporary arenas allocated on the stack.

New Functions:
* SSL_ConfigServerCert - Configures an SSL/TLS socket with a certificate, 
  private key and other information.
* PORT_InitCheapArena - This initializes an arena that was created on 
  the stack. See PORTCheapArenaPool.
* PORT_DestroyCheapArena - This destroys an arena that was created on 
  the stack. See PORTCheapArenaPool.

New Types
* SSLExtraServerCertData - This struct is optionally passed as an argument 
  to SSL_ConfigServerCert.  It contains supplementary information about a 
  certificate, such as the intended type of the certificate, stapled OCSP 
  responses, or signed certificate timestamps (used for certificate 
  transparency).
* PORTCheapArenaPool - A stack-allocated arena pool, to be used for 
  temporary arena allocations.

New Macros
* CKM_TLS12_MAC
* SEC_OID_TLS_ECDHE_PSK - This OID is used to govern use of the 
  TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is only 
  used for session resumption in TLS 1.3.

Notable Changes:
* The following functions have been deprecated (applications should use the 
  new SSL_ConfigServerCert function instead):
  * SSL_SetStapledOCSPResponses
  * SSL_SetSignedCertTimestamps
  * SSL_ConfigSecureServer
  * SSL_ConfigSecureServerWithCertChain
* Function NSS_FindCertKEAType is now deprecated, as it reports a misleading
  value for certificates that might be used for signing rather than key 
  exchange.
* SSLAuthType has been updated to define a larger number of authentication 
  key types.
* The member attribute authAlgorithm of type SSLCipherSuiteInfo has been 
  deprecated. Instead, applications should use the newly added attribute 
  authType.
* ssl_auth_rsa has been renamed to ssl_auth_rsa_decrypt.
* On Linux platforms that define FREEBL_LOWHASH, a shared library has been 
  added: libfreeblpriv3
* Most code related to the SSL v2 has been removed, including the ability to 
  actively send a SSL v2 compatible client hello.
  However, the server side implementation of the SSL/TLS protocol continues to 
  support processing of received v2 compatible client hello messages.
* NSS supports a mechanism to log SSL/TLS key material to a logfile if the 
  environment variable named SSLKEYLOGFILE is set. NSS has been changed to 
  disable this functionality in optimized builds by default. In order to enable 
  the functionality in optimized builds, the symbol NSS_ALLOW_SSLKEYLOGFILE 
  must be defined when building NSS.
* NSS has been updated to be protected against the Cachebleed attack.
* Support for DTLS compression has been disabled.
* Support for TLS 1.3 has been improved.  This includes support for DTLS 1.3.
  Note that TLS 1.3 support is experimental and is not suitable for production
  use.

The full release notes are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.24_release_notes

The HG tag is NSS_3_24_RTM. NSS 3.24 requires NSPR 4.12 or newer.

NSS 3.24 source distributions are available on ftp.mozilla.org for secure HTTPS
download:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.24

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.24 Release

Paul Wouters-2
On Sun, 22 May 2016, Kai Engert wrote:

> Subject: [ANNOUNCE] NSS 3.24 Release

> * NSS softoken has been updated with the latest NIST guidance (as of 2015)

What does this relate to? Do you have the specific FIPS publication?
Is this perhaps the GCM IV handling?

Paul
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.24 Release

Trick, Daniel
Hello.

I'm trying to build latest NSS. Following the Wiki instructions I do:

> |hg clone https://hg.mozilla.org/projects/nspr hg clone
> https://hg.mozilla.org/projects/nss cd nss make BUILD_OPT=1 |


Result is:

> make[2]: Entering directory `/c/Scratchpad/NSS/nss/lib/util'
> cl -FoWIN954.0_OPT.OBJ/quickder.obj -c -O2 -MD -w44267 -w44244 -w44018
> -w44312 -FS -arch:IA32 -W3 -nologo -D_CRT_SECURE_NO_WARNINGS
> -D_CRT_NONSTDC_NO_
> WARNINGS -WX -DXP_PC -UDEBUG -DNDEBUG -DWIN32 -D_X86_ -D_WINDOWS
> -DWIN95 -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT
> -DSSL_DISABLE_
> DEPRECATED_CIPHER_SUITE_NAMES -I../../../dist/WIN954.0_OPT.OBJ/include
> -I../../../dist/public/nss -I../../../dist/private/nss
> "/c/Scratchpad/NSS/nss/
> lib/util/quickder.c"
> quickder.c
> c:\scratchpad\nss\nss\lib\util\secasn1.h(15) : fatal error C1083:
> Cannot open include file: 'plarena.h': No such file or directory
> make[2]: *** [WIN954.0_OPT.OBJ/quickder.obj] Error 2
> make[2]: Leaving directory `/c/Scratchpad/NSS/nss/lib/util'
> make[1]: *** [libs] Error 2
> make[1]: Leaving directory `/c/Scratchpad/NSS/nss/lib'
> make: *** [libs] Error 2

Is this a bug or am I missing something?

(I am using Windows 7, Moz-Build Version is 2.2.0)

Thank you!

Regards,
Daniel


--
Daniel Trick, Fraunhofer SIT
Cloud Computing, Identity & Privacy (CIP)
Rheinstr. 75, 64295 Darmstadt, Germany
Tel +49 6151 869-303

mailto:[hidden email]
http://www.sit.fraunhofer.de/

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.24 Release

Martin Thomson
On Mon, May 23, 2016 at 1:55 AM, Trick, Daniel
<[hidden email]> wrote:
> make BUILD_OPT=1


Try: make BUILD_OPT=1 nss_build_all

You have to build NSPR first, and this does that for you.
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

RE: [ANNOUNCE] NSS 3.24 Release

Trick, Daniel
Thanks a ton!


________________________________________
From: dev-tech-crypto [dev-tech-crypto-bounces+trick=[hidden email]] on behalf of Martin Thomson [[hidden email]]
Sent: Monday, May 23, 2016 6:28 PM
To: mozilla's crypto code discussion list
Subject: Re: [ANNOUNCE] NSS 3.24 Release

On Mon, May 23, 2016 at 1:55 AM, Trick, Daniel
<[hidden email]> wrote:
> make BUILD_OPT=1


Try: make BUILD_OPT=1 nss_build_all

You have to build NSPR first, and this does that for you.
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.24 Release

Robert Relyea
In reply to this post by Paul Wouters-2
On 05/22/2016 04:26 PM, Paul Wouters wrote:
> On Sun, 22 May 2016, Kai Engert wrote:
>
>> Subject: [ANNOUNCE] NSS 3.24 Release
>
>> * NSS softoken has been updated with the latest NIST guidance (as of
>> 2015)
>
> What does this relate to? Do you have the specific FIPS publication?
> Is this perhaps the GCM IV handling?
Checking library integrity at library load time rather than first init
time. I don't have the document.:(,

bob
>
> Paul



--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.24 Release

Julien Pierre-3
In reply to this post by Kai Engert-4
Kai,

On 5/22/2016 13:45, Kai Engert wrote:

> Notable Changes:
> * The following functions have been deprecated (applications should use the
>    new SSL_ConfigServerCert function instead):
>    * SSL_SetStapledOCSPResponses
>    * SSL_SetSignedCertTimestamps
>    * SSL_ConfigSecureServer
>    * SSL_ConfigSecureServerWithCertChain
> * Function NSS_FindCertKEAType is now deprecated, as it reports a misleading
>    value for certificates that might be used for signing rather than key
>    exchange.
> * SSLAuthType has been updated to define a larger number of authentication
>    key types.
> * The member attribute authAlgorithm of type SSLCipherSuiteInfo has been
>    deprecated. Instead, applications should use the newly added attribute
>    authType.
> * ssl_auth_rsa has been renamed to ssl_auth_rsa_decrypt.
>
Will the deprecated functions stop working right away ? Or is there a
scheduled time at which they won't be supported anymore in the future ?
The SSL_ConfigSecureServer function is very commonly used, pretty much
in all Oracle applications.
In the past, NSS has maintained binary compatibility, except in cases
where security cannot be fixed, such as SSL2 .

Julien

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.24 Release

Martin Thomson
On Mon, May 23, 2016 at 7:29 PM, Julien Pierre <[hidden email]> wrote:
> Will the deprecated functions stop working right away ? Or is there a
> scheduled time at which they won't be supported anymore in the future ?


There are no plans to remove these.  Since they are so widely used, I
expect that we may never get rid of them.  However, no new features
can or will be added to these functions.  For example, if you want to
use RSA-PSS, then you will need to use the new functions.
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto