[ANNOUNCE] NSS 3.45 Release

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[ANNOUNCE] NSS 3.45 Release

JC Jones
The NSS team has released Network Security Services (NSS) 3.45 on 5 July 2019, which is a minor release.

The NSS team would like to recognize first-time contributors:

    Bastien Abadie
    Christopher Patton
    Jeremie Courreges-Anglas
    Marcus Burghardt
    Michael Shigorin
    Tomas Mraz

The HG tag is NSS_3_45_RTM. NSS 3.45 requires NSPR 4.21 or newer.

NSS 3.45 source distributions are available on ftp.mozilla.org for secure HTTPS download:


New Functions

    in pk11pub.h:
        PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets *results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and *results will be NULL.

Notable Changes in NSS 3.45

    Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
        This adds a new experimental function: SSL_DelegateCredential
        Note: In 3.45, selfserv does not yet support delegated credentials. See Bug 1548360.
        Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement. See Bug 1563078.
    Bug 1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto
    Bug 1551129 - Support static linking on Windows
    Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot
    Bug 1546229 - Add IPSEC IKE support to softoken
    Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
    Bug 1543874 - Expose an external clock for SSL
        This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext.
        The experimental function SSL_InitAntiReplay is removed.
    Bug 1546477 - Various changes in response to the ongoing FIPS review
        Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

Certificate Authority Changes

    The following CA certificates were Removed:
        Bug 1552374 - CN = Certinomis - Root CA
            SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158

Bugs fixed in NSS 3.45

    Bug 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719)
    Bug 1515342 - More thorough input checking (CVE-2019-11729)
    Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727)
    Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis)
    Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c  (static analysis)
    Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
    Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might have copied the unit test code verbatim
    Bug 1550022 - Ensure nssutil3 gets built on Android
    Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on failure
    Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns error
    Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
    Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors using NSS
    Bug 1553443 - Send session ticket only after handshake is marked as finished
    Bug 1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so builds
    Bug 1554336 - Optimize away unneeded loop in mpi.c
    Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
    Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
    Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
    Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
    Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
    Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
    Bug 1561523 - Add a string for the new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION

This Bugzilla query returns all the bugs fixed in NSS 3.45:


Please refer to the release notes for the complete list of changes:
dev-tech-crypto mailing list
[hidden email]