pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/devel/nss
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Jul 20 09:28:12 UTC 2013
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
pkgsrc/devel/nss/patches: patch-am patch-an patch-md patch-me patch-mf
patch-mg patch-mh patch-mj patch-mn
patch-security_nss_cmd_shlibsign_sign.sh
Log Message:
Update to 3.15.1
Changelog:
NSS 3.15.1 release notes
Introduction
Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug
fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below.
Distribution Information
NSS 3.15.1 source distributions are also available on ftp.mozilla.org for
secure HTTPS download:
Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/
New in NSS 3.15.1
New Functionality
TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC
5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and
SHA-1. Note the following limitations.
The hash function used in the signature for TLS 1.2 client
authentication must be the hash function of the TLS 1.2 PRF, which is always
SHA-256 in NSS 3.15.1.
AES GCM cipher suites are not yet supported.
New Functions
None.
New Types
in sslprot.h
SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the
wire, value 0x0303.
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites.
in sslerr.h
SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE,
SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2.
in sslt.h
ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type.
ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum
type.
New PKCS #11 Mechanisms
None.
Notable Changes in NSS 3.15.1
Bug 856060 - Enforce name constraints on the common name in libpkix when
no subjectAltName is present.
Bug 875156 - Add const to the function arguments of
SEC_CertNicknameConflict.
Bug 877798 - Fix ssltap to print the certificate_status handshake message
correctly.
Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the
RtlGenRandom function.
Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token
delay, leading to spurious failures.
Bug 884072 - Fix a typo in the header include guard macro of secmod.h.
Bug 876352 - certutil now warns if importing a PEM file that contains a
private key.
Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it
failed.
The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed.
Bugs fixed in NSS 3.15.1
https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS
Compatibility
NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.1 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the functions
listed in NSS Public Functions will remain compatible with future versions of
the NSS shared libraries.
NSS 3.15 release notes
Introduction
The NSS team has released Network Security Services (NSS) 3.15, which is a
minor release.
Distribution Information
The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.
NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS
download:
Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/
New in NSS 3.15
New Functionality
Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been
added for both client and server sockets. TLS client applications may enable
this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
Added function SECITEM_ReallocItemV2. It replaces function
SECITEM_ReallocItem, which is now declared as obsolete.
Support for single-operation (eg: not multi-part) symmetric key encryption
and decryption, via PK11_Encrypt and PK11_Decrypt.
certutil has been updated to support creating name constraints extensions.
New Functions
in ssl.h
SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP
response, when used with a TLS client socket that negotiated the status_request
extension.
SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS
server socket to return when clients send the status_request extension.
in ocsp.h
CERT_PostOCSPRequest - Primarily intended for testing, permits the
sending and receiving of raw OCSP request/responses.
in secpkcs7.h
SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at
a specific time other than the present time.
in xconst.h
CERT_EncodeNameConstraintsExtension - Matching function for
CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
in secitem.h
SECITEM_AllocArray
SECITEM_DupArray
SECITEM_FreeArray
SECITEM_ZfreeArray - Utility functions to handle the allocation and
deallocation of SECItemArrays
SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now
obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it
updates item->len on allocation. For more details of the issues with
SECITEM_ReallocItem, see Bug 298649 and Bug 298938.
in pk11pub.h
PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg:
not multi-part). This is necessary for AES-GCM.
PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg:
not multi-part). This is necessary for AES-GCM.
New Types
in secitem.h
SECItemArray - Represents a variable-length array of SECItems.
New Macros
in ssl.h
SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS
client sockets to request the certificate_status extension (eg: OCSP stapling)
when set to PR_TRUE
Notable Changes in NSS 3.15
SECITEM_ReallocItem is now deprecated. Please consider using
SECITEM_ReallocItemV2 in all future code.
NSS has migrated from CVS to the Mercurial source control management system.
Updated build instructions are available at Migration to HG
As part of this migration, the source code directory layout has been
re-organized.
The list of root CA certificates in the nssckbi module has been updated.
The default implementation of SSL_AuthCertificate has been updated to add
certificate status responses stapled by the TLS server to the OCSP cache.
Applications that use SSL_AuthCertificateHook to override the default
handler should add appropriate calls to SSL_PeerStapledOCSPResponse and
CERT_CacheOCSPResponseFromSideChannel.
Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and
other OCSP caching behaviour.
Bug 853285: Fixed bugs in AES GCM.
Bug 341127: Fix the invalid read in rc4_wordconv.
Faster NIST curve P-256 implementation.
Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library
libfreebl_32int_3.so is no longer produced.
Bugs fixed in NSS 3.15
This Bugzilla query returns all the bugs fixed in NSS 3.15:
https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15
To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.69 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.27 -r1.28 pkgsrc/devel/nss/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/devel/nss/patches/patch-am \
pkgsrc/devel/nss/patches/patch-mf
cvs rdiff -u -r1.5 -r1.6 pkgsrc/devel/nss/patches/patch-an
cvs rdiff -u -r1.1 -r1.2 pkgsrc/devel/nss/patches/patch-md \
pkgsrc/devel/nss/patches/patch-me pkgsrc/devel/nss/patches/patch-mg \
pkgsrc/devel/nss/patches/patch-mh pkgsrc/devel/nss/patches/patch-mj \
pkgsrc/devel/nss/patches/patch-mn \
pkgsrc/devel/nss/patches/patch-security_nss_cmd_shlibsign_sign.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Home |
Main Index |
Thread Index |
Old Index