NSS 3.15 release notes

Introduction

The NSS team has released Network Security Services (NSS) 3.15, which is a minor release.

Distribution Information

The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.

NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download:

New in NSS 3.15

New Functionality

  • Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);

  • Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete.

  • Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.

  • certutil has been updated to support creating name constraints extensions.

New Functions

  • in ssl.h

    • SSL_PeerStapledOCSPResponse - Returns the server’s stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension.

    • SSL_SetStapledOCSPResponses - Set’s a stapled OCSP response for a TLS server socket to return when clients send the status_request extension.

  • in ocsp.h

    • CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses.

  • in secpkcs7.h

    • SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time.

  • in xconst.h

    • CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10.

  • in secitem.h

    • SECITEM_AllocArray

    • SECITEM_DupArray

    • SECITEM_FreeArray

    • SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays

    • SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938.

  • in pk11pub.h

    • PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.

    • PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.

New Types

  • in secitem.h

    • SECItemArray - Represents a variable-length array of SECItems.

New Macros

  • in ssl.h

    • SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE

Notable Changes in NSS 3.15

  • SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code.

  • NSS has migrated from CVS to the Mercurial source control management system.

    Updated build instructions are available at Migration to HG

    As part of this migration, the source code directory layout has been re-organized.

  • The list of root CA certificates in the nssckbi module has been updated.

  • The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache.

    Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel.

  • Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour.

  • Bug 853285: Fixed bugs in AES GCM.

  • Bug 341127: Fix the invalid read in rc4_wordconv.

  • Faster NIST curve P-256 implementation.

  • Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced.

Bugs fixed in NSS 3.15