1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
.. _mozilla_projects_nss_nss_3_28_release_notes:
NSS 3.28 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
The Network Security Services (NSS) team has released NSS 3.28, which is a minor release.
.. _distribution_information:
`Distribution information <#distribution_information>`__
--------------------------------------------------------
.. container::
The hg tag is NSS_3_28_RTM. NSS 3.28 requires Netscape Portable Runtime(NSPR) 4.13.1 or newer.
NSS 3.28 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_RTM/src/
.. _new_in_nss_3.28:
`New in NSS 3.28 <#new_in_nss_3.28>`__
--------------------------------------
.. container::
.. _new_functionality:
`New Functionality <#new_functionality>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- NSS includes support for `TLS 1.3 draft
-18 <https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-18>`__. This includes a
number of improvements to TLS 1.3:
- The signed certificate timestamp, used in certificate transparency, is supported in TLS 1.3
(`bug 1252745 <https://bugzilla.mozilla.org/show_bug.cgi?id=1252745>`__).
- Key exporters for TLS 1.3 are supported (`bug
1310610 <https://bugzilla.mozilla.org/show_bug.cgi?id=1310610>`__). This includes the
early key exporter, which can be used if 0-RTT is enabled. Note that there is a difference
between TLS 1.3 and key exporters in older versions of TLS. TLS 1.3 does not distinguish
between an empty context and no context.
- The TLS 1.3 (draft) protocol can be enabled, by defining NSS_ENABLE_TLS_1_3=1 when building
NSS.
- NSS includes support for `the X25519 key exchange
algorithm <https://datatracker.ietf.org/doc/html/rfc7748>`__ (`bug
957105 <https://bugzilla.mozilla.org/show_bug.cgi?id=957105>`__), which is supported and
enabled by default in all versions of TLS.
.. rubric:: New Functions
:name: new_functions
- in ssl.h
- **SSL_ExportEarlyKeyingMaterial** implements a key exporter based on the TLS 1.3 early
exporter secret. This API is equivalent in function to SSL_ExportKeyingMaterial, but it
can only succeed if 0-RTT was attempted (on the client) or accepted (on the server).
- **SSL_SendAdditionalKeyShares** configures a TLS 1.3 client so that it generates additional
key shares when sending a ClientHello.
- **SSL_SignatureSchemePrefSet** allows an application to set which signature schemes should
be supported in TLS and to specify the preference order of those schemes.
- **SSL_SignatureSchemePrefGet** allows an application to learn the currently supported and
enabled signature schemes for a socket.
.. _request_to_test_and_prepare_for_tls_1.3:
`Request to test and prepare for TLS 1.3 <#request_to_test_and_prepare_for_tls_1.3>`__
--------------------------------------------------------------------------------------
.. container::
This release contains improved support for TLS 1.3, however, the code that supports TLS 1.3 is
still disabled by default (not built).
For the future NSS 3.29 release, it is planned that standard builds of NSS will support the TLS
1.3 protocol (although the maximum TLS protocol version enabled by default will remain at TLS
1.2).
We know that some applications which use NSS, query NSS for the supported range of SSL/TLS
protocols, and will enable the maximum enabled protocol version. In NSS 3.29, those applications
will therefore enable support for the TLS 1.3 protocol.
In order to prepare for this future change, we'd like to encourage all users of NSS to override
the standard NSS 3.28 build configuration, by defining NSS_ENABLE_TLS_1_3=1 at build time. This
will enable support for TLS 1.3. Please give feedback to the NSS developers for any compatibility
issues that you encounter in your tests.
.. _notable_changes_in_nss_3.28:
`Notable Changes in NSS 3.28 <#notable_changes_in_nss_3.28>`__
--------------------------------------------------------------
.. container::
- NSS can no longer be compiled with support for additional elliptic curves (the
NSS_ECC_MORE_THAN_SUITE_B option, `bug
1253912 <https://bugzilla.mozilla.org/show_bug.cgi?id=1253912>`__). This was previously
possible by replacing certain NSS source files.
- NSS will now detect the presence of tokens that support additional elliptic curves and enable
those curves for use in TLS (`bug
1303648 <https://bugzilla.mozilla.org/show_bug.cgi?id=1303648>`__). Note that this detection
has a one-off performance cost, which can be avoided by using the SSL_NamedGroupConfig
function, to limit supported groups to those that NSS provides.
- PKCS#11 bypass for TLS is no longer supported and has been removed (`bug
1303224 <https://bugzilla.mozilla.org/show_bug.cgi?id=1303224>`__).
- Support for "export" grade SSL/TLS cipher suites has been removed (`bug
1252849 <https://bugzilla.mozilla.org/show_bug.cgi?id=1252849>`__).
- NSS now uses the signature schemes definition in TLS 1.3 (`bug
1309446 <https://bugzilla.mozilla.org/show_bug.cgi?id=1309446>`__). This also affects TLS
1.2. NSS will now only generate signatures with the combinations of hash and signature scheme
that are defined in TLS 1.3, even when negotiating TLS 1.2.
- This means that SHA-256 will only be used with P-256 ECDSA certificates, SHA-384 with P-384
certificates, and SHA-512 with P-521 certificates. SHA-1 is permitted (in TLS 1.2 only)
with any certificate for backward compatibility reasons.
- New functions to configure signature schemes are provided: **SSL_SignatureSchemePrefSet,
SSL_SignatureSchemePrefGet**. The old SSL_SignaturePrefSet and SSL_SignaturePrefSet
functions are now deprecated.
- NSS will now no longer assume that default signature schemes are supported by a peer if
there was no commonly supported signature scheme.
- NSS will now check if RSA-PSS signing is supported by the token that holds the private key
prior to using it for TLS (`bug
1311950 <https://bugzilla.mozilla.org/show_bug.cgi?id=1311950>`__).
- The certificate validation code contains checks to no longer trust certificates that are
issued by old WoSign and StartCom CAs, after October 21, 2016. This is equivalent to the
behavior that Mozilla will release with Firefox 51. Background information can be found in
`Mozilla's blog
post <https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/>`__.
.. _bugs_fixed_in_nss_3.28:
`Bugs fixed in NSS 3.28 <#bugs_fixed_in_nss_3.28>`__
----------------------------------------------------
.. container::
This Bugzilla query returns all the bugs fixed in NSS 3.28:
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.28
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.28 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.28 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in NSS Public Functions will remain compatible with future versions of
the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report with
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
|
