blob: 2c80c618b85adc5fbcd598fbf1050356175ced1d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
.. _mozilla_projects_nss_nss_3_31_release_notes:
NSS 3.31 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
The Network Security Services (NSS) team has released NSS 3.31, which is a minor release.
.. _distribution_information:
`Distribution information <#distribution_information>`__
--------------------------------------------------------
.. container::
The hg tag is NSS_3_31_RTM. NSS 3.31 requires Netscape Portable Runtime (NSPR) 4.15 or newer.
NSS 3.31 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_31_RTM/src/
.. _new_in_nss_3.31:
`New in NSS 3.31 <#new_in_nss_3.31>`__
--------------------------------------
.. container::
.. _new_functionality:
`New Functionality <#new_functionality>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- Allow certificates to be specified by RFC7512 PKCS#11 URIs.
- Allow querying a certificate object for its temporary or permanent storage status in a thread
safe way.
.. rubric:: New Functions
:name: new_functions
- *in cert.h*
- **CERT_GetCertIsPerm** - retrieve the permanent storage status attribute of a certificate
in a thread safe way.
- **CERT_GetCertIsTemp** - retrieve the temporary storage status attribute of a certificate
in a thread safe way.
- *in pk11pub.h*
- **PK11_FindCertFromURI** - find a certificate identified by the given URI.
- **PK11_FindCertsFromURI** - find a list of certificates identified by the given URI.
- **PK11_GetModuleURI** - retrieve the URI of the given module.
- **PK11_GetTokenURI** - retrieve the URI of a token based on the given slot information.
- *in pkcs11uri.h*
- **PK11URI_CreateURI** - create a new PK11URI object from a set of attributes.
- **PK11URI_DestroyURI** - destroy a PK11URI object.
- **PK11URI_FormatURI** - format a PK11URI object to a string.
- **PK11URI_GetPathAttribute** - retrieve a path attribute with the given name.
- **PK11URI_GetQueryAttribute** - retrieve a query attribute with the given name.
- **PK11URI_ParseURI** - parse PKCS#11 URI and return a new PK11URI object.
.. rubric:: New Macros
:name: new_macros
- *in pkcs11uri.h*
- Several new macros that start with **PK11URI_PATTR\_** for path attributes defined in
RFC7512.
- Several new macros that start with **PK11URI_QATTR\_** for query attributes defined in
RFC7512.
.. _notable_changes_in_nss_3.31:
`Notable Changes in NSS 3.31 <#notable_changes_in_nss_3.31>`__
--------------------------------------------------------------
.. container::
- The APIs that set a TLS version range have been changed to trim the requested range to the
overlap with a systemwide crypto policy, if configured. **SSL_VersionRangeGetSupported** can
be used to query the overlap between the library's supported range of TLS versions and the
systemwide policy.
- Previously, **SSL_VersionRangeSet** and **SSL_VersionRangeSetDefault** returned a failure if
the requested version range wasn't fully allowed by the systemwide crypto policy. They have
been changed to return success, if at least one TLS version overlaps between the requested
range and the systemwide policy. An application may call **SSL_VersionRangeGet**
and **SSL_VersionRangeGetDefault** to query the TLS version range that was effectively
activated.
- Corrected the encoding of Domain Name Constraints extensions created by certutil
- NSS supports a clean seeding mechanism for \*NIX systems now using only /dev/urandom. This is
used only when SEED_ONLY_DEV_URANDOM is set at compile time.
- CERT_AsciiToName can handle OIDs in dotted decimal form now.
.. _bugs_fixed_in_nss_3.31:
`Bugs fixed in NSS 3.31 <#bugs_fixed_in_nss_3.31>`__
----------------------------------------------------
.. container::
This Bugzilla query returns all the bugs fixed in NSS 3.31:
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.31
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.31 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.31 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in NSS Public Functions will remain compatible with future versions of
the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report with
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
|
