[ANNOUNCE] NSS 3.37 Release

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[ANNOUNCE] NSS 3.37 Release

Kai Engert-4
The NSS team has released Network Security Services (NSS) 3.37,
which is a minor release.

Notable changes:
* The TLS 1.3 implementation was updated to Draft 28.
* An issue where NSS erroneously accepted HRR requests was resolved.
* Added HACL* Poly1305 32-bit
* The code to support the NPN protocol has been fully removed.
* NSS allows servers now to register ALPN handling callbacks to
  select a protocol.
* NSS supports opening SQL databases in read-only mode.
* On Linux, some build configurations can use glibc's function
  getentropy(), which uses the kernel's getrandom() function.
* The CA list was updated to version 2.24, which removed the
  following CA certificates:
  - CN = S-TRUST Universal Root CA
  - CN = TC TrustCenter Class 3 CA II
  - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5

Please refer to the release notes for the complete list of changes:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.37_release_notes

The HG tag is NSS_3_37_RTM. NSS 3.37 requires NSPR 4.19 or newer.

NSS 3.37 source distributions are available for secure download:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_37_RTM/src/

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&product=NSS&target_milestone=3.37
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.37 Release

Kurt Roeckx
On 2018-05-08 22:49, Kai Engert wrote:
> Notable changes:
> * The TLS 1.3 implementation was updated to Draft 28.

I find it unfortunate that you update the draft version to 28 and did
not keep it at 26 like some other implementations, since the protocol
did not change since draft 26. This makes it harder to actually test things.


Kurt
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.37 Release

Kai Engert-4
On 14.05.2018 11:11, Kurt Roeckx wrote:
> On 2018-05-08 22:49, Kai Engert wrote:
>> Notable changes:
>> * The TLS 1.3 implementation was updated to Draft 28.
>
> I find it unfortunate that you update the draft version to 28 and did
> not keep it at 26 like some other implementations, since the protocol
> did not change since draft 26. This makes it harder to actually test
> things.

Are there relevant technical changes between 26 and 28 ?

See https://bugzilla.mozilla.org/show_bug.cgi?id=1446643#c4 in which EKR
suggests (IIUC) that there are no changes between 26 and 28.

Kai

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.37 Release

Kai Engert-4
On 14.05.2018 13:24, Kai Engert wrote:

> On 14.05.2018 11:11, Kurt Roeckx wrote:
>> On 2018-05-08 22:49, Kai Engert wrote:
>>> Notable changes:
>>> * The TLS 1.3 implementation was updated to Draft 28.
>>
>> I find it unfortunate that you update the draft version to 28 and did
>> not keep it at 26 like some other implementations, since the protocol
>> did not change since draft 26. This makes it harder to actually test
>> things.
>
> Are there relevant technical changes between 26 and 28 ?
>
> See https://bugzilla.mozilla.org/show_bug.cgi?id=1446643#c4 in which EKR
> suggests (IIUC) that there are no changes between 26 and 28.

I meant, no technical changes for NSS are required between 26 and 28, if
I understand EKR's comment correctly.

Kai

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.37 Release

Martin Thomson
Yes, aside from the version number the two versions are identical.

On Mon, 14 May 2018, 21:51 Kai Engert, <[hidden email]> wrote:

> On 14.05.2018 13:24, Kai Engert wrote:
> > On 14.05.2018 11:11, Kurt Roeckx wrote:
> >> On 2018-05-08 22:49, Kai Engert wrote:
> >>> Notable changes:
> >>> * The TLS 1.3 implementation was updated to Draft 28.
> >>
> >> I find it unfortunate that you update the draft version to 28 and did
> >> not keep it at 26 like some other implementations, since the protocol
> >> did not change since draft 26. This makes it harder to actually test
> >> things.
> >
> > Are there relevant technical changes between 26 and 28 ?
> >
> > See https://bugzilla.mozilla.org/show_bug.cgi?id=1446643#c4 in which EKR
> > suggests (IIUC) that there are no changes between 26 and 28.
>
> I meant, no technical changes for NSS are required between 26 and 28, if
> I understand EKR's comment correctly.
>
> Kai
>
> --
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [ANNOUNCE] NSS 3.37 Release

Kurt Roeckx
In reply to this post by Kai Engert-4
On 2018-05-14 13:51, Kai Engert wrote:

> On 14.05.2018 13:24, Kai Engert wrote:
>> On 14.05.2018 11:11, Kurt Roeckx wrote:
>>> On 2018-05-08 22:49, Kai Engert wrote:
>>>> Notable changes:
>>>> * The TLS 1.3 implementation was updated to Draft 28.
>>>
>>> I find it unfortunate that you update the draft version to 28 and did
>>> not keep it at 26 like some other implementations, since the protocol
>>> did not change since draft 26. This makes it harder to actually test
>>> things.
>>
>> Are there relevant technical changes between 26 and 28 ?
>>
>> See https://bugzilla.mozilla.org/show_bug.cgi?id=1446643#c4 in which EKR
>> suggests (IIUC) that there are no changes between 26 and 28.
>
> I meant, no technical changes for NSS are required between 26 and 28, if
> I understand EKR's comment correctly.

There are no changes in the protocol between 26 and 28. We now created a
pull request in openssl to support version 26, 27 and 28, which will
probably get merged soon.


Kurt

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto