1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
|
.. _mozilla_projects_nss_nss_3_12_release_notes_html:
NSS_3.12_release_notes.html
===========================
.. _nss_3.12_release_notes:
`NSS 3.12 Release Notes <#nss_3.12_release_notes>`__
----------------------------------------------------
.. container::
.. _17_june_2008:
`17 June 2008 <#17_june_2008>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__
`Contents <#contents>`__
~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- `Introduction <#introduction>`__
- `Distribution Information <#distribution_information>`__
- `New in NSS 3.12 <#new_in_nss_3.12>`__
- `Bugs Fixed <#bugs_fixed>`__
- `Documentation <#documentation>`__
- `Compatibility <#compatibility>`__
- `Feedback <#feedback>`__
--------------
`Introduction <#introduction>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Network Security Services (NSS) 3.12 is a minor release with the following new features:
- SQLite-Based Shareable Certificate and Key Databases
- libpkix: an RFC 3280 Compliant Certificate Path Validation Library
- Camellia cipher support
- TLS session ticket extension (RFC 5077)
NSS 3.12 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
Note: Firefox 3 uses NSS 3.12, but not the new SQLite-based shareable certificate and key
databases. We missed the deadline to enable that feature in Firefox 3.
--------------
.. _distribution_information:
`Distribution Information <#distribution_information>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
The CVS tag for the NSS 3.12 release is NSS_3_12_RTM. NSS 3.12 requires `NSPR
4.7.1 <https://www.mozilla.org/projects/nspr/release-notes/nspr471.html>`__.
See the `Documentation <#docs>`__ section for the build instructions.
NSS 3.12 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS
download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/.
- Binary distributions:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/. Both debug and
optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT
(optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12
directory containing three subdirectories:
- include - NSS header files
- lib - NSS shared libraries
- bin - `NSS Tools <https://www.mozilla.org/projects/security/pki/nss/tools/>`__ and test
programs
You also need to download the NSPR 4.7.1 binary distributions to get the NSPR 4.7.1 header files
and shared libraries, which NSS 3.12 requires. NSPR 4.7.1 binary distributions are in
https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.7.1/.
NSS 3.12 libraries have the following versions:
- sqlite3: 3.3.17
- nssckbi: 1.70
- softokn3 and freebl3: 3.12.0.3
- other NSS libraries: 3.12.0.3
--------------
.. _new_in_nss_3.12:
`New in NSS 3.12 <#new_in_nss_3.12>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- 3 new shared library are shipped with NSS 3.12:
- nssutil
- sqlite
- nssdbm
- 1 new include file is shipped with NSS3.12:
- utilrename.h
- New functions in the nss shared library:
- CERT_CheckNameSpace (see cert.h)
- CERT_EncodeCertPoliciesExtension (see cert.h)
- CERT_EncodeInfoAccessExtension (see cert.h)
- CERT_EncodeInhibitAnyExtension (see cert.h)
- CERT_EncodeNoticeReference (see cert.h)
- CERT_EncodePolicyConstraintsExtension (see cert.h)
- CERT_EncodePolicyMappingExtension (see cert.h)
- CERT_EncodeSubjectKeyID (see certdb/cert.h)
- CERT_EncodeUserNotice (see cert.h)
- CERT_FindCRLEntryReasonExten (see cert.h)
- CERT_FindCRLNumberExten (see cert.h)
- CERT_FindNameConstraintsExten (see cert.h)
- CERT_GetClassicOCSPDisabledPolicy (see cert.h)
- CERT_GetClassicOCSPEnabledHardFailurePolicy (see cert.h)
- CERT_GetClassicOCSPEnabledSoftFailurePolicy (see cert.h)
- CERT_GetPKIXVerifyNistRevocationPolicy (see cert.h)
- CERT_GetUsePKIXForValidation (see cert.h)
- CERT_GetValidDNSPatternsFromCert (see cert.h)
- CERT_NewTempCertificate (see cert.h)
- CERT_SetOCSPTimeout (see certhigh/ocsp.h)
- CERT_SetUsePKIXForValidation (see cert.h)
- CERT_PKIXVerifyCert (see cert.h)
- HASH_GetType (see sechash.h)
- NSS_InitWithMerge (see nss.h)
- PK11_CreateMergeLog (see pk11pub.h)
- PK11_CreateGenericObject (see pk11pub.h)
- PK11_CreatePBEV2AlgorithmID (see pk11pub.h)
- PK11_DestroyMergeLog (see pk11pub.h)
- PK11_GenerateKeyPairWithOpFlags (see pk11pub.h)
- PK11_GetPBECryptoMechanism (see pk11pub.h)
- PK11_IsRemovable (see pk11pub.h)
- PK11_MergeTokens (see pk11pub.h)
- PK11_WriteRawAttribute (see pk11pub.h)
- SECKEY_ECParamsToBasePointOrderLen (see keyhi.h)
- SECKEY_ECParamsToKeySize (see keyhi.h)
- SECMOD_DeleteModuleEx (see secmod.h)
- SEC_GetRegisteredHttpClient (see ocsp.h)
- SEC_PKCS5IsAlgorithmPBEAlgTag (see secpkcs5.h)
- VFY_CreateContextDirect (see cryptohi.h)
- VFY_CreateContextWithAlgorithmID (see cryptohi.h)
- VFY_VerifyDataDirect (see cryptohi.h)
- VFY_VerifyDataWithAlgorithmID (see cryptohi.h)
- VFY_VerifyDigestDirect (see cryptohi.h)
- VFY_VerifyDigestWithAlgorithmID (see cryptohi.h)
- New macros for Camellia support (see blapit.h):
- NSS_CAMELLIA
- NSS_CAMELLIA_CBC
- CAMELLIA_BLOCK_SIZE
- New macros for RSA (see blapit.h):
- RSA_MAX_MODULUS_BITS
- RSA_MAX_EXPONENT_BITS
- New macros in certt.h:
- X.509 v3
- KU_ENCIPHER_ONLY
- CERT_MAX_SERIAL_NUMBER_BYTES
- CERT_MAX_DN_BYTES
- PKIX
- CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD
- CERT_REV_M_TEST_USING_THIS_METHOD
- CERT_REV_M_ALLOW_NETWORK_FETCHING
- CERT_REV_M_FORBID_NETWORK_FETCHING
- CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
- CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
- CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
- CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
- CERT_REV_M_IGNORE_MISSING_FRESH_INFO
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
- CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
- CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
- CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY
- CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
- CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT
- CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
- CERT_POLICY_FLAG_NO_MAPPING
- CERT_POLICY_FLAG_EXPLICIT
- CERT_POLICY_FLAG_NO_ANY
- CERT_ENABLE_LDAP_FETCH
- CERT_ENABLE_HTTP_FETCH
- New macro in utilrename.h:
- SMIME_AES_CBC_128
- The nssckbi PKCS #11 module's version changed to 1.70.
- In pkcs11n.h, all the \_NETSCAPE\_ macros are renamed with \_NSS\_
- For example, CKO_NETSCAPE_CRL becomes CKO_NSS_CRL.
- New for PKCS #11 (see pkcs11t.h for details):
- CKK: Keys
- CKK_CAMELLIA
- CKM: Mechanisms
- CKM_SHA224_RSA_PKCS
- CKM_SHA224_RSA_PKCS_PSS
- CKM_SHA224
- CKM_SHA224_HMAC
- CKM_SHA224_HMAC_GENERAL
- CKM_SHA224_KEY_DERIVATION
- CKM_CAMELLIA_KEY_GEN
- CKM_CAMELLIA_ECB
- CKM_CAMELLIA_CBC
- CKM_CAMELLIA_MAC
- CKM_CAMELLIA_MAC_GENERAL
- CKM_CAMELLIA_CBC_PAD
- CKM_CAMELLIA_ECB_ENCRYPT_DATA
- CKM_CAMELLIA_CBC_ENCRYPT_DATA
- CKG: MFGs
- CKG_MGF1_SHA224
- New error codes (see secerr.h):
- SEC_ERROR_NOT_INITIALIZED
- SEC_ERROR_TOKEN_NOT_LOGGED_IN
- SEC_ERROR_OCSP_RESPONDER_CERT_INVALID
- SEC_ERROR_OCSP_BAD_SIGNATURE
- SEC_ERROR_OUT_OF_SEARCH_LIMITS
- SEC_ERROR_INVALID_POLICY_MAPPING
- SEC_ERROR_POLICY_VALIDATION_FAILED
- SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE
- SEC_ERROR_BAD_HTTP_RESPONSE
- SEC_ERROR_BAD_LDAP_RESPONSE
- SEC_ERROR_FAILED_TO_ENCODE_DATA
- SEC_ERROR_BAD_INFO_ACCESS_LOCATION
- SEC_ERROR_LIBPKIX_INTERNAL
- New mechanism flags (see secmod.h)
- PUBLIC_MECH_AES_FLAG
- PUBLIC_MECH_SHA256_FLAG
- PUBLIC_MECH_SHA512_FLAG
- PUBLIC_MECH_CAMELLIA_FLAG
- New OIDs (see secoidt.h)
- new EC Signature oids
- SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST
- SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST
- SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE
- SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE
- SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE
- SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE
- More id-ce and id-pe OIDs from RFC 3280
- SEC_OID_X509_HOLD_INSTRUCTION_CODE
- SEC_OID_X509_DELTA_CRL_INDICATOR
- SEC_OID_X509_ISSUING_DISTRIBUTION_POINT
- SEC_OID_X509_CERT_ISSUER
- SEC_OID_X509_FRESHEST_CRL
- SEC_OID_X509_INHIBIT_ANY_POLICY
- SEC_OID_X509_SUBJECT_INFO_ACCESS
- Camellia OIDs (RFC3657)
- SEC_OID_CAMELLIA_128_CBC
- SEC_OID_CAMELLIA_192_CBC
- SEC_OID_CAMELLIA_256_CBC
- PKCS 5 V2 OIDS
- SEC_OID_PKCS5_PBKDF2
- SEC_OID_PKCS5_PBES2
- SEC_OID_PKCS5_PBMAC1
- SEC_OID_HMAC_SHA1
- SEC_OID_HMAC_SHA224
- SEC_OID_HMAC_SHA256
- SEC_OID_HMAC_SHA384
- SEC_OID_HMAC_SHA512
- SEC_OID_PKIX_TIMESTAMPING
- SEC_OID_PKIX_CA_REPOSITORY
- SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE
- Changed OIDs (see secoidt.h)
- SEC_OID_PKCS12_KEY_USAGE changed to SEC_OID_BOGUS_KEY_USAGE
- SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST changed to
SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE
- Note: SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST is also kept for compatibility
reasons.
- TLS Session ticket extension (off by default)
- See SSL_ENABLE_SESSION_TICKETS in ssl.h
- New SSL error codes (see sslerr.h)
- SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT
- SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT
- SSL_ERROR_UNRECOGNIZED_NAME_ALERT
- SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT
- SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT
- SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET
- SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET
- New TLS cipher suites (see sslproto.h):
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- Note: the following TLS cipher suites are declared but are not yet implemented:
- TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
- TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
- TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA
- TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
- TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
- TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA
- TLS_ECDH_anon_WITH_NULL_SHA
- TLS_ECDH_anon_WITH_RC4_128_SHA
- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
- TLS_ECDH_anon_WITH_AES_128_CBC_SHA
- TLS_ECDH_anon_WITH_AES_256_CBC_SHA
--------------
.. _bugs_fixed:
`Bugs Fixed <#bugs_fixed>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
The following bugs have been fixed in NSS 3.12.
- `Bug 354403 <https://bugzilla.mozilla.org/show_bug.cgi?id=354403>`__: nssList_CreateIterator
returns pointer to a freed memory if the function fails to allocate a lock
- `Bug 399236 <https://bugzilla.mozilla.org/show_bug.cgi?id=399236>`__: pkix wrapper must print
debug output into stderr
- `Bug 399300 <https://bugzilla.mozilla.org/show_bug.cgi?id=399300>`__: PKIX error results not
freed after use.
- `Bug 414985 <https://bugzilla.mozilla.org/show_bug.cgi?id=414985>`__: Crash in
pkix_pl_OcspRequest_Destroy
- `Bug 421870 <https://bugzilla.mozilla.org/show_bug.cgi?id=421870>`__: Strsclnt crashed in PKIX
tests.
- `Bug 429388 <https://bugzilla.mozilla.org/show_bug.cgi?id=429388>`__: vfychain.main leaks
memory
- `Bug 396044 <https://bugzilla.mozilla.org/show_bug.cgi?id=396044>`__: Warning: usage of
uninitialized variable in ckfw/object.c(174)
- `Bug 396045 <https://bugzilla.mozilla.org/show_bug.cgi?id=396045>`__: Warning: usage of
uninitialized variable in ckfw/mechanism.c(719)
- `Bug 401986 <https://bugzilla.mozilla.org/show_bug.cgi?id=401986>`__: Mac OS X leopard build
failure in legacydb
- `Bug 325805 <https://bugzilla.mozilla.org/show_bug.cgi?id=325805>`__: diff considers
mozilla/security/nss/cmd/pk11util/scripts/pkey a binary file
- `Bug 385151 <https://bugzilla.mozilla.org/show_bug.cgi?id=385151>`__: Remove the link time
dependency from NSS to Softoken
- `Bug 387892 <https://bugzilla.mozilla.org/show_bug.cgi?id=387892>`__: Add Entrust root CA
certificate(s) to NSS
- `Bug 433386 <https://bugzilla.mozilla.org/show_bug.cgi?id=433386>`__: when system clock is off
by more than two days, OSCP check fails, can result in crash if user tries to view certificate
[[@ SECITEM_CompareItem_Util] [[@ memcmp]
- `Bug 396256 <https://bugzilla.mozilla.org/show_bug.cgi?id=396256>`__: certutil and pp do not
print all the GeneralNames in a CRLDP extension
- `Bug 398019 <https://bugzilla.mozilla.org/show_bug.cgi?id=398019>`__: correct confusing and
erroneous comments in DER_AsciiToTime
- `Bug 422866 <https://bugzilla.mozilla.org/show_bug.cgi?id=422866>`__: vfychain -pp command
crashes in NSS_shutdown
- `Bug 345779 <https://bugzilla.mozilla.org/show_bug.cgi?id=345779>`__: Useless assignment
statements in ec_GF2m_pt_mul_mont
- `Bug 349011 <https://bugzilla.mozilla.org/show_bug.cgi?id=349011>`__: please stop exporting
these crmf\_ symbols
- `Bug 397178 <https://bugzilla.mozilla.org/show_bug.cgi?id=397178>`__: Crash when entering
chrome://pippki/content/resetpassword.xul in URL bar
- `Bug 403822 <https://bugzilla.mozilla.org/show_bug.cgi?id=403822>`__:
pkix_pl_OcspRequest_Create can leave some members uninitialized
- `Bug 403910 <https://bugzilla.mozilla.org/show_bug.cgi?id=403910>`__:
CERT_FindUserCertByUsage() returns wrong certificate if multiple certs with same subject
available
- `Bug 404919 <https://bugzilla.mozilla.org/show_bug.cgi?id=404919>`__: memory leak in
sftkdb_ReadSecmodDB() (sftkmod.c)
- `Bug 406120 <https://bugzilla.mozilla.org/show_bug.cgi?id=406120>`__: Allow application to
specify OCSP timeout
- `Bug 361025 <https://bugzilla.mozilla.org/show_bug.cgi?id=361025>`__: Support for Camellia
Cipher Suites to TLS RFC4132
- `Bug 376417 <https://bugzilla.mozilla.org/show_bug.cgi?id=376417>`__: PK11_GenerateKeyPair
needs to get the key usage from the caller.
- `Bug 391291 <https://bugzilla.mozilla.org/show_bug.cgi?id=391291>`__: Shared Database
Integrity checks not yet implemented.
- `Bug 391292 <https://bugzilla.mozilla.org/show_bug.cgi?id=391292>`__: Shared Database
implementation slow
- `Bug 391294 <https://bugzilla.mozilla.org/show_bug.cgi?id=391294>`__: Shared Database
implementation really slow on network file systems
- `Bug 392521 <https://bugzilla.mozilla.org/show_bug.cgi?id=392521>`__: Automatic shared db
update fails if user opens database R/W but never supplies a password
- `Bug 392522 <https://bugzilla.mozilla.org/show_bug.cgi?id=392522>`__: Integrity hashes must be
updated when passwords are changed.
- `Bug 401610 <https://bugzilla.mozilla.org/show_bug.cgi?id=401610>`__: Shared DB fails on IOPR
tests
- `Bug 388120 <https://bugzilla.mozilla.org/show_bug.cgi?id=388120>`__: build error due to
SEC_BEGIN_PROTOS / SEC_END_PROTOS are undefined
- `Bug 415264 <https://bugzilla.mozilla.org/show_bug.cgi?id=415264>`__: Make Security use of new
NSPR rotate macros
- `Bug 317052 <https://bugzilla.mozilla.org/show_bug.cgi?id=317052>`__: lib/base/whatnspr.c is
obsolete
- `Bug 317323 <https://bugzilla.mozilla.org/show_bug.cgi?id=317323>`__: Set NSPR31_LIB_PREFIX to
empty explicitly for WIN95 and WINCE builds
- `Bug 320336 <https://bugzilla.mozilla.org/show_bug.cgi?id=320336>`__: SECITEM_AllocItem
returns a non-NULL pointer if the allocation of its 'data' buffer fails
- `Bug 327529 <https://bugzilla.mozilla.org/show_bug.cgi?id=327529>`__: Can't pass 0 as an
unnamed null pointer argument to CERT_CreateRDN
- `Bug 334683 <https://bugzilla.mozilla.org/show_bug.cgi?id=334683>`__: Extraneous semicolons
cause Empty declaration compiler warnings
- `Bug 335275 <https://bugzilla.mozilla.org/show_bug.cgi?id=335275>`__: Compile with the GCC
flag -Werror-implicit-function-declaration
- `Bug 354565 <https://bugzilla.mozilla.org/show_bug.cgi?id=354565>`__: fipstest sha_test needs
to detect SHA tests that are incorrectly configured for BIT oriented implementations
- `Bug 356595 <https://bugzilla.mozilla.org/show_bug.cgi?id=356595>`__: On Windows,
RNG_SystemInfoForRNG calls GetCurrentProcess, which returns the constant (HANDLE)-1.
- `Bug 357015 <https://bugzilla.mozilla.org/show_bug.cgi?id=357015>`__: On Windows,
ReadSystemFiles reads 21 files as opposed to 10 files in C:\WINDOWS\system32.
- `Bug 361076 <https://bugzilla.mozilla.org/show_bug.cgi?id=361076>`__: Clean up the
USE_PTHREADS related code in coreconf/SunOS5.mk.
- `Bug 361077 <https://bugzilla.mozilla.org/show_bug.cgi?id=361077>`__: Clean up the
USE_PTHREADS related code in coreconf/HP-UX*.mk.
- `Bug 402114 <https://bugzilla.mozilla.org/show_bug.cgi?id=402114>`__: Fix the incorrect
function prototypes of SSL handshake callbacks
- `Bug 402308 <https://bugzilla.mozilla.org/show_bug.cgi?id=402308>`__: Fix miscellaneous
compiler warnings in nss/cmd
- `Bug 402777 <https://bugzilla.mozilla.org/show_bug.cgi?id=402777>`__: lib/util can't be built
stand-alone.
- `Bug 407866 <https://bugzilla.mozilla.org/show_bug.cgi?id=407866>`__: Contributed improvement
to security/nss/lib/freebl/mpi/mp_comba.c
- `Bug 410587 <https://bugzilla.mozilla.org/show_bug.cgi?id=410587>`__: SSL_GetChannelInfo
returns SECSuccess on invalid arguments
- `Bug 416508 <https://bugzilla.mozilla.org/show_bug.cgi?id=416508>`__: Fix a \_MSC_VER typo in
sha512.c, and use SEC_BEGIN_PROTOS/SEC_END_PROTOS in secport.h
- `Bug 419242 <https://bugzilla.mozilla.org/show_bug.cgi?id=419242>`__: 'all' is not the default
makefile target in lib/softoken and lib/softoken/legacydb
- `Bug 419523 <https://bugzilla.mozilla.org/show_bug.cgi?id=419523>`__: Export
Cert_NewTempCertificate.
- `Bug 287061 <https://bugzilla.mozilla.org/show_bug.cgi?id=287061>`__: CRL number should be a
big integer, not ulong
- `Bug 301213 <https://bugzilla.mozilla.org/show_bug.cgi?id=301213>`__: Combine internal libpkix
function tests into a single statically linked program
- `Bug 324740 <https://bugzilla.mozilla.org/show_bug.cgi?id=324740>`__: add generation of SIA
and AIA extensions to certutil
- `Bug 339737 <https://bugzilla.mozilla.org/show_bug.cgi?id=339737>`__: LIBPKIX OCSP checking
calls CERT_VerifyCert
- `Bug 358785 <https://bugzilla.mozilla.org/show_bug.cgi?id=358785>`__: Merge NSS_LIBPKIX_BRANCH
back to trunk
- `Bug 365966 <https://bugzilla.mozilla.org/show_bug.cgi?id=365966>`__: infinite recursive call
in VFY_VerifyDigestDirect
- `Bug 382078 <https://bugzilla.mozilla.org/show_bug.cgi?id=382078>`__: pkix default http client
returns error when try to get an ocsp response.
- `Bug 384926 <https://bugzilla.mozilla.org/show_bug.cgi?id=384926>`__: libpkix build problems
- `Bug 389411 <https://bugzilla.mozilla.org/show_bug.cgi?id=389411>`__: Mingw build error -
undefined reference to \`_imp__PKIX_ERRORNAMES'
- `Bug 389904 <https://bugzilla.mozilla.org/show_bug.cgi?id=389904>`__: avoid multiple
decoding/encoding while creating and using PKIX_PL_X500Name
- `Bug 390209 <https://bugzilla.mozilla.org/show_bug.cgi?id=390209>`__: pkix AIA manager tries
to get certs using AIA url with OCSP access method
- `Bug 390233 <https://bugzilla.mozilla.org/show_bug.cgi?id=390233>`__: umbrella bug for libPKIX
cert validation failures discovered from running vfyserv
- `Bug 390499 <https://bugzilla.mozilla.org/show_bug.cgi?id=390499>`__: libpkix does not check
cached cert chain for revocation
- `Bug 390502 <https://bugzilla.mozilla.org/show_bug.cgi?id=390502>`__: libpkix fails cert
validation when no valid CRL (NIST validation policy is always enforced)
- `Bug 390530 <https://bugzilla.mozilla.org/show_bug.cgi?id=390530>`__: libpkix does not support
time override
- `Bug 390536 <https://bugzilla.mozilla.org/show_bug.cgi?id=390536>`__: Cert validation
functions must validate leaf cert themselves
- `Bug 390554 <https://bugzilla.mozilla.org/show_bug.cgi?id=390554>`__: all PKIX_NULLCHECK\_
errors are reported as PKIX ALLOC ERROR
- `Bug 390888 <https://bugzilla.mozilla.org/show_bug.cgi?id=390888>`__: CERT_Verify\* functions
should be able to use libPKIX
- `Bug 391457 <https://bugzilla.mozilla.org/show_bug.cgi?id=391457>`__: libpkix does not check
for object ref leak at shutdown
- `Bug 391774 <https://bugzilla.mozilla.org/show_bug.cgi?id=391774>`__: PKIX_Shutdown is not
called by nssinit.c
- `Bug 393174 <https://bugzilla.mozilla.org/show_bug.cgi?id=393174>`__: Memory leaks in
ocspclnt/PKIX.
- `Bug 395093 <https://bugzilla.mozilla.org/show_bug.cgi?id=395093>`__:
pkix_pl_HttpCertStore_ProcessCertResponse is unable to process certs in DER format
- `Bug 395224 <https://bugzilla.mozilla.org/show_bug.cgi?id=395224>`__: Don't reject certs with
critical NetscapeCertType extensions in libPKIX
- `Bug 395427 <https://bugzilla.mozilla.org/show_bug.cgi?id=395427>`__: PKIX_PL_Initialize must
not call NSS_Init
- `Bug 395850 <https://bugzilla.mozilla.org/show_bug.cgi?id=395850>`__: build of libpkix tests
creates links to nonexistant shared libraries and breaks windows build
- `Bug 398401 <https://bugzilla.mozilla.org/show_bug.cgi?id=398401>`__: Memory leak in PKIX
init.
- `Bug 399326 <https://bugzilla.mozilla.org/show_bug.cgi?id=399326>`__: libpkix is unable to
validate cert for certUsageStatusResponder
- `Bug 400947 <https://bugzilla.mozilla.org/show_bug.cgi?id=400947>`__: thread unsafe operation
in PKIX_PL_HashTable_Add cause selfserv to crash.
- `Bug 402773 <https://bugzilla.mozilla.org/show_bug.cgi?id=402773>`__: Verify the list of
public header files in NSS 3.12
- `Bug 403470 <https://bugzilla.mozilla.org/show_bug.cgi?id=403470>`__: Strsclnt + tstclnt
crashes when PKIX enabled.
- `Bug 403685 <https://bugzilla.mozilla.org/show_bug.cgi?id=403685>`__: Application crashes
after having called CERT_PKIXVerifyCert
- `Bug 408434 <https://bugzilla.mozilla.org/show_bug.cgi?id=408434>`__: Crash with PKIX based
verify
- `Bug 411614 <https://bugzilla.mozilla.org/show_bug.cgi?id=411614>`__: Explicit Policy does not
seem to work.
- `Bug 417024 <https://bugzilla.mozilla.org/show_bug.cgi?id=417024>`__: Convert libpkix error
code into nss error code
- `Bug 422859 <https://bugzilla.mozilla.org/show_bug.cgi?id=422859>`__: libPKIX builds &
validates chain to root not in the caller-provided anchor list
- `Bug 425516 <https://bugzilla.mozilla.org/show_bug.cgi?id=425516>`__: need to destroy data
pointed by CERTValOutParam array in case of error
- `Bug 426450 <https://bugzilla.mozilla.org/show_bug.cgi?id=426450>`__: PKIX_PL_HashTable_Remove
leaks hashtable key object
- `Bug 429230 <https://bugzilla.mozilla.org/show_bug.cgi?id=429230>`__: memory leak in
pkix_CheckCert function
- `Bug 392696 <https://bugzilla.mozilla.org/show_bug.cgi?id=392696>`__: Fix copyright
boilerplate in all new PKIX code
- `Bug 300928 <https://bugzilla.mozilla.org/show_bug.cgi?id=300928>`__: Integrate libpkix to NSS
- `Bug 303457 <https://bugzilla.mozilla.org/show_bug.cgi?id=303457>`__: extensions newly
supported in libpkix must be marked supported
- `Bug 331096 <https://bugzilla.mozilla.org/show_bug.cgi?id=331096>`__: NSS Softoken must detect
forks on all unix-ish platforms
- `Bug 390710 <https://bugzilla.mozilla.org/show_bug.cgi?id=390710>`__:
CERTNameConstraintsTemplate is incorrect
- `Bug 416928 <https://bugzilla.mozilla.org/show_bug.cgi?id=416928>`__: DER decode error on this
policy extension
- `Bug 375019 <https://bugzilla.mozilla.org/show_bug.cgi?id=375019>`__: Cache-enable
pkix_OcspChecker_Check
- `Bug 391454 <https://bugzilla.mozilla.org/show_bug.cgi?id=391454>`__: libPKIX does not honor
NSS's override trust flags
- `Bug 403682 <https://bugzilla.mozilla.org/show_bug.cgi?id=403682>`__: CERT_PKIXVerifyCert
never succeeds
- `Bug 324744 <https://bugzilla.mozilla.org/show_bug.cgi?id=324744>`__: add generation of policy
extensions to certutil
- `Bug 390973 <https://bugzilla.mozilla.org/show_bug.cgi?id=390973>`__: Add long option names to
SECU_ParseCommandLine
- `Bug 161326 <https://bugzilla.mozilla.org/show_bug.cgi?id=161326>`__: need API to convert
dotted OID format to/from octet representation
- `Bug 376737 <https://bugzilla.mozilla.org/show_bug.cgi?id=376737>`__: CERT_ImportCerts
routinely sets VALID_PEER or VALID_CA OVERRIDE trust flags
- `Bug 390381 <https://bugzilla.mozilla.org/show_bug.cgi?id=390381>`__: libpkix rejects cert
chain when root CA cert has no basic constraints
- `Bug 391183 <https://bugzilla.mozilla.org/show_bug.cgi?id=391183>`__: rename libPKIX error
string number type to pkix error number types
- `Bug 397122 <https://bugzilla.mozilla.org/show_bug.cgi?id=397122>`__: NSS 3.12 alpha treats a
key3.db with no global salt as having no password
- `Bug 405966 <https://bugzilla.mozilla.org/show_bug.cgi?id=405966>`__: Unknown signature OID
1.3.14.3.2.29 causes sec_error_bad_signature, 3.11 ignores it
- `Bug 413010 <https://bugzilla.mozilla.org/show_bug.cgi?id=413010>`__: CERT_CompareRDN may
return a false match
- `Bug 417664 <https://bugzilla.mozilla.org/show_bug.cgi?id=417664>`__: false positive crl
revocation test on ppc/ppc64 NSS_ENABLE_PKIX_VERIFY=1
- `Bug 404526 <https://bugzilla.mozilla.org/show_bug.cgi?id=404526>`__: glibc detected free():
invalid pointer
- `Bug 300929 <https://bugzilla.mozilla.org/show_bug.cgi?id=300929>`__: Certificate Policy
extensions not supported
- `Bug 129303 <https://bugzilla.mozilla.org/show_bug.cgi?id=129303>`__: NSS needs to expose
interfaces to deal with multiple token sources of certs.
- `Bug 217538 <https://bugzilla.mozilla.org/show_bug.cgi?id=217538>`__: softoken databases
cannot be shared between multiple processes
- `Bug 294531 <https://bugzilla.mozilla.org/show_bug.cgi?id=294531>`__: Design new interfaces
for certificate path building and verification for libPKIX
- `Bug 326482 <https://bugzilla.mozilla.org/show_bug.cgi?id=326482>`__: NSS ECC performance
problems (intel)
- `Bug 391296 <https://bugzilla.mozilla.org/show_bug.cgi?id=391296>`__: Need an update helper
for Shared Databases
- `Bug 395090 <https://bugzilla.mozilla.org/show_bug.cgi?id=395090>`__: remove duplication of
pkcs7 code from pkix_pl_httpcertstore.c
- `Bug 401026 <https://bugzilla.mozilla.org/show_bug.cgi?id=401026>`__: Need to provide a way to
modify and create new PKCS #11 objects.
- `Bug 403680 <https://bugzilla.mozilla.org/show_bug.cgi?id=403680>`__: CERT_PKIXVerifyCert
fails if CRLs are missing, implement cert_pi_revocationFlags
- `Bug 427706 <https://bugzilla.mozilla.org/show_bug.cgi?id=427706>`__: NSS_3_12_RC1 crashes in
passwordmgr tests
- `Bug 426245 <https://bugzilla.mozilla.org/show_bug.cgi?id=426245>`__: Assertion failure went
undetected by tinderbox
- `Bug 158242 <https://bugzilla.mozilla.org/show_bug.cgi?id=158242>`__: PK11_PutCRL is very
memory inefficient
- `Bug 287563 <https://bugzilla.mozilla.org/show_bug.cgi?id=287563>`__: Please make
cert_CompareNameWithConstraints a non-static function
- `Bug 301496 <https://bugzilla.mozilla.org/show_bug.cgi?id=301496>`__: NSS_Shutdown failure in
p7sign
- `Bug 324878 <https://bugzilla.mozilla.org/show_bug.cgi?id=324878>`__: crlutil -L outputs false
CRL names
- `Bug 337010 <https://bugzilla.mozilla.org/show_bug.cgi?id=337010>`__: OOM crash [[@
NSC_DigestKey] Dereferencing possibly NULL att
- `Bug 343231 <https://bugzilla.mozilla.org/show_bug.cgi?id=343231>`__: certutil issues certs
for invalid requests
- `Bug 353371 <https://bugzilla.mozilla.org/show_bug.cgi?id=353371>`__: Klocwork 91117 - Null
Pointer Dereference in CERT_CertChainFromCert
- `Bug 353374 <https://bugzilla.mozilla.org/show_bug.cgi?id=353374>`__: Klocwork 76494 - Null
ptr derefs in CERT_FormatName
- `Bug 353375 <https://bugzilla.mozilla.org/show_bug.cgi?id=353375>`__: Klocwork 76513 - Null
ptr deref in nssCertificateList_DoCallback
- `Bug 353413 <https://bugzilla.mozilla.org/show_bug.cgi?id=353413>`__: Klocwork 76541 free
uninitialized pointer in CERT_FindCertURLExtension
- `Bug 353416 <https://bugzilla.mozilla.org/show_bug.cgi?id=353416>`__: Klocwork 76593 null ptr
deref in nssCryptokiPrivateKey_SetCertificate
- `Bug 353423 <https://bugzilla.mozilla.org/show_bug.cgi?id=353423>`__: Klocwork bugs in
nss/lib/pk11wrap/dev3hack.c
- `Bug 353739 <https://bugzilla.mozilla.org/show_bug.cgi?id=353739>`__: Klocwork Null ptr
dereferences in instance.c
- `Bug 353741 <https://bugzilla.mozilla.org/show_bug.cgi?id=353741>`__: klocwork cascading
memory leak in mpp_make_prime
- `Bug 353742 <https://bugzilla.mozilla.org/show_bug.cgi?id=353742>`__: klocwork null ptr
dereference in ocsp_DecodeResponseBytes
- `Bug 353748 <https://bugzilla.mozilla.org/show_bug.cgi?id=353748>`__: klocwork null ptr
dereferences in pki3hack.c
- `Bug 353760 <https://bugzilla.mozilla.org/show_bug.cgi?id=353760>`__: klocwork null pointer
dereference in p7decode.c
- `Bug 353763 <https://bugzilla.mozilla.org/show_bug.cgi?id=353763>`__: klocwork Null ptr
dereferences in pk11cert.c
- `Bug 353773 <https://bugzilla.mozilla.org/show_bug.cgi?id=353773>`__: klocwork Null ptr
dereferences in pk11nobj.c
- `Bug 353777 <https://bugzilla.mozilla.org/show_bug.cgi?id=353777>`__: Klocwork Null ptr
dereferences in pk11obj.c
- `Bug 353780 <https://bugzilla.mozilla.org/show_bug.cgi?id=353780>`__: Klocwork NULL ptr
dereferences in pkcs11.c
- `Bug 353865 <https://bugzilla.mozilla.org/show_bug.cgi?id=353865>`__: klocwork Null ptr deref
in softoken/pk11db.c
- `Bug 353888 <https://bugzilla.mozilla.org/show_bug.cgi?id=353888>`__: klockwork IDs for
ssl3con.c
- `Bug 353895 <https://bugzilla.mozilla.org/show_bug.cgi?id=353895>`__: klocwork Null ptr derefs
in pki/pkibase.c
- `Bug 353902 <https://bugzilla.mozilla.org/show_bug.cgi?id=353902>`__: klocwork bugs in
stanpcertdb.c
- `Bug 353903 <https://bugzilla.mozilla.org/show_bug.cgi?id=353903>`__: klocwork oom crash in
softoken/keydb.c
- `Bug 353908 <https://bugzilla.mozilla.org/show_bug.cgi?id=353908>`__: klocwork OOM crash in
tdcache.c
- `Bug 353909 <https://bugzilla.mozilla.org/show_bug.cgi?id=353909>`__: klocwork ptr dereference
before NULL check in devutil.c
- `Bug 353912 <https://bugzilla.mozilla.org/show_bug.cgi?id=353912>`__: Misc klocwork bugs in
lib/ckfw
- `Bug 354008 <https://bugzilla.mozilla.org/show_bug.cgi?id=354008>`__: klocwork bugs in freebl
- `Bug 359331 <https://bugzilla.mozilla.org/show_bug.cgi?id=359331>`__: modutil -changepw strict
shutdown failure
- `Bug 373367 <https://bugzilla.mozilla.org/show_bug.cgi?id=373367>`__: verify OCSP response
signature in libpkix without decoding and reencoding
- `Bug 390542 <https://bugzilla.mozilla.org/show_bug.cgi?id=390542>`__: libpkix fails to
validate a chain that consists only of one self issued, trusted cert
- `Bug 390728 <https://bugzilla.mozilla.org/show_bug.cgi?id=390728>`__:
pkix_pl_OcspRequest_Create throws an error if it was not able to get AIA location
- `Bug 397825 <https://bugzilla.mozilla.org/show_bug.cgi?id=397825>`__: libpkix: ifdef code that
uses user object types
- `Bug 397832 <https://bugzilla.mozilla.org/show_bug.cgi?id=397832>`__: libpkix leaks memory if
a macro calls a function that returns an error
- `Bug 402727 <https://bugzilla.mozilla.org/show_bug.cgi?id=402727>`__: functions responsible
for creating an object leak if subsequent function code produces an error
- `Bug 402731 <https://bugzilla.mozilla.org/show_bug.cgi?id=402731>`__:
pkix_pl_Pk11CertStore_CrlQuery will crash if fails to acquire DP cache.
- `Bug 406647 <https://bugzilla.mozilla.org/show_bug.cgi?id=406647>`__: libpkix does not use
user defined revocation checkers
- `Bug 407064 <https://bugzilla.mozilla.org/show_bug.cgi?id=407064>`__:
pkix_pl_LdapCertStore_BuildCrlList should not fail if a crl fails to be decoded
- `Bug 421216 <https://bugzilla.mozilla.org/show_bug.cgi?id=421216>`__: libpkix test nss_thread
leaks a test certificate
- `Bug 301259 <https://bugzilla.mozilla.org/show_bug.cgi?id=301259>`__: signtool Usage message
is unhelpful
- `Bug 389781 <https://bugzilla.mozilla.org/show_bug.cgi?id=389781>`__: NSS should be built
size-optimized in browser builds on Linux, Windows, and Mac
- `Bug 90426 <https://bugzilla.mozilla.org/show_bug.cgi?id=90426>`__: use of obsolete typedefs
in public NSS headers
- `Bug 113323 <https://bugzilla.mozilla.org/show_bug.cgi?id=113323>`__: The first argument to
PK11_FindCertFromNickname should be const.
- `Bug 132485 <https://bugzilla.mozilla.org/show_bug.cgi?id=132485>`__: built-in root certs slot
description is empty
- `Bug 177184 <https://bugzilla.mozilla.org/show_bug.cgi?id=177184>`__: NSS_CMSDecoder_Cancel
might have a leak
- `Bug 232392 <https://bugzilla.mozilla.org/show_bug.cgi?id=232392>`__: Erroneous root CA tests
in NSS Libraries
- `Bug 286642 <https://bugzilla.mozilla.org/show_bug.cgi?id=286642>`__: util should be in a
shared library
- `Bug 287052 <https://bugzilla.mozilla.org/show_bug.cgi?id=287052>`__: Function to get CRL
Entry reason code has incorrect prototype and implementation
- `Bug 299308 <https://bugzilla.mozilla.org/show_bug.cgi?id=299308>`__: Need additional APIs in
the CRL cache for libpkix
- `Bug 335039 <https://bugzilla.mozilla.org/show_bug.cgi?id=335039>`__:
nssCKFWCryptoOperation_UpdateCombo is not declared
- `Bug 340917 <https://bugzilla.mozilla.org/show_bug.cgi?id=340917>`__: crlutil should init NSS
read-only for some options
- `Bug 350948 <https://bugzilla.mozilla.org/show_bug.cgi?id=350948>`__: freebl macro change can
give 1% improvement in RSA performance on amd64
- `Bug 352439 <https://bugzilla.mozilla.org/show_bug.cgi?id=352439>`__: Reference leaks in
modutil
- `Bug 369144 <https://bugzilla.mozilla.org/show_bug.cgi?id=369144>`__: certutil needs option to
generate SubjectKeyID extension
- `Bug 391771 <https://bugzilla.mozilla.org/show_bug.cgi?id=391771>`__: pk11_config_name and
pk11_config_strings leaked on shutdown
- `Bug 401194 <https://bugzilla.mozilla.org/show_bug.cgi?id=401194>`__: crash in lg_FindObjects
on win64
- `Bug 405652 <https://bugzilla.mozilla.org/show_bug.cgi?id=405652>`__: In the TLS ClientHello
message the gmt_unix_time is incorrect
- `Bug 424917 <https://bugzilla.mozilla.org/show_bug.cgi?id=424917>`__: Performance regression
with studio 12 compiler
- `Bug 391770 <https://bugzilla.mozilla.org/show_bug.cgi?id=391770>`__: OCSP_Global.monitor is
leaked on shutdown
- `Bug 403687 <https://bugzilla.mozilla.org/show_bug.cgi?id=403687>`__: move pkix functions to
certvfypkix.c, turn off EV_TEST_HACK
- `Bug 428105 <https://bugzilla.mozilla.org/show_bug.cgi?id=428105>`__: CERT_SetOCSPTimeout is
not defined in any public header file
- `Bug 213359 <https://bugzilla.mozilla.org/show_bug.cgi?id=213359>`__: enhance PK12util to
extract certs from p12 file
- `Bug 329067 <https://bugzilla.mozilla.org/show_bug.cgi?id=329067>`__: NSS encodes cert
distinguished name attributes with wrong string type
- `Bug 339906 <https://bugzilla.mozilla.org/show_bug.cgi?id=339906>`__: sec_pkcs12_install_bags
passes uninitialized variables to functions
- `Bug 396484 <https://bugzilla.mozilla.org/show_bug.cgi?id=396484>`__: certutil doesn't
truncate existing temporary files when writing them
- `Bug 251594 <https://bugzilla.mozilla.org/show_bug.cgi?id=251594>`__: Certificate from PKCS#12
file with colon in friendlyName not selectable for signing/encryption
- `Bug 321584 <https://bugzilla.mozilla.org/show_bug.cgi?id=321584>`__: NSS PKCS12 decoder fails
to import bags without nicknames
- `Bug 332633 <https://bugzilla.mozilla.org/show_bug.cgi?id=332633>`__: remove duplicate header
files in nss/cmd/sslsample
- `Bug 335019 <https://bugzilla.mozilla.org/show_bug.cgi?id=335019>`__: pk12util takes friendly
name from key, not cert
- `Bug 339173 <https://bugzilla.mozilla.org/show_bug.cgi?id=339173>`__: mem leak whenever
SECMOD_HANDLE_STRING_ARG called in loop
- `Bug 353904 <https://bugzilla.mozilla.org/show_bug.cgi?id=353904>`__: klocwork Null ptr deref
in secasn1d.c
- `Bug 366390 <https://bugzilla.mozilla.org/show_bug.cgi?id=366390>`__: correct misleading
function names in fipstest
- `Bug 370536 <https://bugzilla.mozilla.org/show_bug.cgi?id=370536>`__: Memory leaks in pointer
tracker code in DEBUG builds only
- `Bug 372242 <https://bugzilla.mozilla.org/show_bug.cgi?id=372242>`__: CERT_CompareRDN uses
incorrect algorithm
- `Bug 379753 <https://bugzilla.mozilla.org/show_bug.cgi?id=379753>`__: S/MIME should support
AES
- `Bug 381375 <https://bugzilla.mozilla.org/show_bug.cgi?id=381375>`__: ocspclnt doesn't work on
Windows
- `Bug 398693 <https://bugzilla.mozilla.org/show_bug.cgi?id=398693>`__: DER_AsciiToTime produces
incorrect output for dates 1950-1970
- `Bug 420212 <https://bugzilla.mozilla.org/show_bug.cgi?id=420212>`__: Empty cert DNs handled
badly, display as !INVALID AVA!
- `Bug 420979 <https://bugzilla.mozilla.org/show_bug.cgi?id=420979>`__: vfychain ignores -b TIME
option when -p option is present
- `Bug 403563 <https://bugzilla.mozilla.org/show_bug.cgi?id=403563>`__: Implement the TLS
session ticket extension (STE)
- `Bug 400917 <https://bugzilla.mozilla.org/show_bug.cgi?id=400917>`__: Want exported function
that outputs all host names for DNS name matching
- `Bug 315643 <https://bugzilla.mozilla.org/show_bug.cgi?id=315643>`__:
test_buildchain_resourcelimits won't build
- `Bug 353745 <https://bugzilla.mozilla.org/show_bug.cgi?id=353745>`__: klocwork null ptr
dereference in PKCS12 decoder
- `Bug 338367 <https://bugzilla.mozilla.org/show_bug.cgi?id=338367>`__: The GF2M_POPULATE and
GFP_POPULATE should check the ecCurve_map array index bounds before use
- `Bug 201139 <https://bugzilla.mozilla.org/show_bug.cgi?id=201139>`__: SSLTap should display
plain text for NULL cipher suites
- `Bug 233806 <https://bugzilla.mozilla.org/show_bug.cgi?id=233806>`__: Support NIST CRL policy
- `Bug 279085 <https://bugzilla.mozilla.org/show_bug.cgi?id=279085>`__: NSS tools display public
exponent as negative number
- `Bug 363480 <https://bugzilla.mozilla.org/show_bug.cgi?id=363480>`__: ocspclnt needs option to
take cert from specified file
- `Bug 265715 <https://bugzilla.mozilla.org/show_bug.cgi?id=265715>`__: remove unused hsearch.c
DBM code
- `Bug 337361 <https://bugzilla.mozilla.org/show_bug.cgi?id=337361>`__: Leaks in jar_parse_any
(security/nss/lib/jar/jarver.c)
- `Bug 338453 <https://bugzilla.mozilla.org/show_bug.cgi?id=338453>`__: Leaks in
security/nss/lib/jar/jarfile.c
- `Bug 351408 <https://bugzilla.mozilla.org/show_bug.cgi?id=351408>`__: Leaks in
JAR_JAR_sign_archive (security/nss/lib/jar/jarjart.c)
- `Bug 351443 <https://bugzilla.mozilla.org/show_bug.cgi?id=351443>`__: Remove unused code from
mozilla/security/nss/lib/jar
- `Bug 351510 <https://bugzilla.mozilla.org/show_bug.cgi?id=351510>`__: Remove USE_MOZ_THREAD
code from mozilla/security/lib/jar
- `Bug 118830 <https://bugzilla.mozilla.org/show_bug.cgi?id=118830>`__: NSS public header files
should be C++ safe
- `Bug 123996 <https://bugzilla.mozilla.org/show_bug.cgi?id=123996>`__: certutil -H doesn't
document certutil -C -a
- `Bug 178894 <https://bugzilla.mozilla.org/show_bug.cgi?id=178894>`__: Quick decoder updates
for lib/certdb and lib/certhigh
- `Bug 220115 <https://bugzilla.mozilla.org/show_bug.cgi?id=220115>`__: CKM_INVALID_MECHANISM
should be an unsigned long constant.
- `Bug 330721 <https://bugzilla.mozilla.org/show_bug.cgi?id=330721>`__: Remove OS/2 VACPP
compiler support from NSS
- `Bug 408260 <https://bugzilla.mozilla.org/show_bug.cgi?id=408260>`__: certutil usage doesn't
give enough information about trust arguments
- `Bug 410226 <https://bugzilla.mozilla.org/show_bug.cgi?id=410226>`__: leak in
create_objects_from_handles
- `Bug 415007 <https://bugzilla.mozilla.org/show_bug.cgi?id=415007>`__:
PK11_FindCertFromDERSubjectAndNickname is dead code
- `Bug 416267 <https://bugzilla.mozilla.org/show_bug.cgi?id=416267>`__: compiler warnings on
solaris due to extra semicolon in SEC_ASN1_MKSUB
- `Bug 419763 <https://bugzilla.mozilla.org/show_bug.cgi?id=419763>`__: logger thread should be
joined on exit
- `Bug 424471 <https://bugzilla.mozilla.org/show_bug.cgi?id=424471>`__: counter overflow in
bltest
- `Bug 229335 <https://bugzilla.mozilla.org/show_bug.cgi?id=229335>`__: Remove certificates that
expired in August 2004 from tree
- `Bug 346551 <https://bugzilla.mozilla.org/show_bug.cgi?id=346551>`__: init SECItem derTemp in
crmf_encode_popoprivkey
- `Bug 395080 <https://bugzilla.mozilla.org/show_bug.cgi?id=395080>`__: Double backslash in
sysDir filenames causes problems on OS/2
- `Bug 341371 <https://bugzilla.mozilla.org/show_bug.cgi?id=341371>`__: certutil lacks a way to
request a certificate with an existing key
- `Bug 382292 <https://bugzilla.mozilla.org/show_bug.cgi?id=382292>`__: add support for Camellia
to cmd/symkeyutil
- `Bug 385642 <https://bugzilla.mozilla.org/show_bug.cgi?id=385642>`__: Add additional cert
usage(s) for certutil's -V -u option
- `Bug 175741 <https://bugzilla.mozilla.org/show_bug.cgi?id=175741>`__: strict aliasing bugs in
mozilla/dbm
- `Bug 210584 <https://bugzilla.mozilla.org/show_bug.cgi?id=210584>`__: CERT_AsciiToName doesn't
accept all valid values
- `Bug 298540 <https://bugzilla.mozilla.org/show_bug.cgi?id=298540>`__: vfychain usage option
should be improved and documented
- `Bug 323570 <https://bugzilla.mozilla.org/show_bug.cgi?id=323570>`__: Make dbck Debug mode
work with Softoken
- `Bug 371470 <https://bugzilla.mozilla.org/show_bug.cgi?id=371470>`__: vfychain needs option to
verify for specific date
- `Bug 387621 <https://bugzilla.mozilla.org/show_bug.cgi?id=387621>`__: certutil's random noise
generator isn't very efficient
- `Bug 390185 <https://bugzilla.mozilla.org/show_bug.cgi?id=390185>`__: signtool error message
wrongly uses the term database
- `Bug 391651 <https://bugzilla.mozilla.org/show_bug.cgi?id=391651>`__: Need config.mk file for
Windows Vista
- `Bug 396322 <https://bugzilla.mozilla.org/show_bug.cgi?id=396322>`__: Fix secutil's code and
NSS tools that print public keys
- `Bug 417641 <https://bugzilla.mozilla.org/show_bug.cgi?id=417641>`__: miscellaneous minor NSS
bugs
- `Bug 334914 <https://bugzilla.mozilla.org/show_bug.cgi?id=334914>`__: hopefully useless null
check of out it in JAR_find_next
- `Bug 95323 <https://bugzilla.mozilla.org/show_bug.cgi?id=95323>`__: ckfw should support cipher
operations.
- `Bug 337088 <https://bugzilla.mozilla.org/show_bug.cgi?id=337088>`__: Coverity 405,
PK11_ParamToAlgid() in mozilla/security/nss/lib/pk11wrap/pk11mech.c
- `Bug 339907 <https://bugzilla.mozilla.org/show_bug.cgi?id=339907>`__: oaep_xor_with_h1
allocates and leaks sha1cx
- `Bug 341122 <https://bugzilla.mozilla.org/show_bug.cgi?id=341122>`__: Coverity 633
SFTK_DestroySlotData uses slot->slotLock then checks it for NULL
- `Bug 351140 <https://bugzilla.mozilla.org/show_bug.cgi?id=351140>`__: Coverity 995, potential
crash in ecgroup_fromNameAndHex
- `Bug 362278 <https://bugzilla.mozilla.org/show_bug.cgi?id=362278>`__: lib/util includes header
files from other NSS directories
- `Bug 228190 <https://bugzilla.mozilla.org/show_bug.cgi?id=228190>`__: Remove unnecessary
NSS_ENABLE_ECC defines from manifest.mn
- `Bug 412906 <https://bugzilla.mozilla.org/show_bug.cgi?id=412906>`__: remove sha.c and sha.h
from lib/freebl
- `Bug 353543 <https://bugzilla.mozilla.org/show_bug.cgi?id=353543>`__: valgrind uninitialized
memory read in nssPKIObjectCollection_AddInstances
- `Bug 377548 <https://bugzilla.mozilla.org/show_bug.cgi?id=377548>`__: NSS QA test program
certutil's default DSA prime is only 512 bits
- `Bug 333405 <https://bugzilla.mozilla.org/show_bug.cgi?id=333405>`__: item cleanup is unused
DEADCODE in SECITEM_AllocItem loser
- `Bug 288730 <https://bugzilla.mozilla.org/show_bug.cgi?id=288730>`__: compiler warnings in
certutil
- `Bug 337251 <https://bugzilla.mozilla.org/show_bug.cgi?id=337251>`__: warning: /\* within
comment
- `Bug 362967 <https://bugzilla.mozilla.org/show_bug.cgi?id=362967>`__: export
SECMOD_DeleteModuleEx
- `Bug 389248 <https://bugzilla.mozilla.org/show_bug.cgi?id=389248>`__: NSS build failure when
NSS_ENABLE_ECC is not defined
- `Bug 390451 <https://bugzilla.mozilla.org/show_bug.cgi?id=390451>`__: Remembered passwords
lost when changing Master Password
- `Bug 418546 <https://bugzilla.mozilla.org/show_bug.cgi?id=418546>`__: reference leak in
CERT_PKIXVerifyCert
- `Bug 390074 <https://bugzilla.mozilla.org/show_bug.cgi?id=390074>`__: OS/2 sign.cmd doesn't
find sqlite3.dll
- `Bug 417392 <https://bugzilla.mozilla.org/show_bug.cgi?id=417392>`__: certutil -L -n reports
bogus trust flags
--------------
`Documentation <#documentation>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
For a list of the primary NSS documentation pages on mozilla.org, see `NSS
Documentation <../index.html#Documentation>`__. New and revised documents available since the
release of NSS 3.11 include the following:
- :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`
- `NSS Shared DB <http://wiki.mozilla.org/NSS_Shared_DB>`__
- :ref:`mozilla_projects_nss_reference_nss_environment_variables`
--------------
`Compatibility <#compatibility>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
NSS 3.12 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.12 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain
compatible with future versions of the NSS shared libraries.
--------------
`Feedback <#feedback>`__
~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Bugs discovered should be reported by filing a bug report with `mozilla.org
Bugzilla <https://bugzilla.mozilla.org/>`__\ (product NSS).
|
