doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219

.. _mozilla_projects_nss_nss_3_46_release_notes:

NSS 3.46 release notes
======================

`Introduction <#introduction>`__
--------------------------------

.. container::

   The NSS team has released Network Security Services (NSS) 3.46 on **30 August 2019**, which is a
   minor release.

   The NSS team would like to recognize first-time contributors:

   -  Giulio Benetti
   -  Louis Dassy
   -  Mike Kaganski
   -  xhimanshuz

.. _distribution_information:

`Distribution Information <#distribution_information>`__
--------------------------------------------------------

.. container::

   The HG tag is NSS_3_46_RTM. NSS 3.46 requires NSPR 4.22 or newer.

   NSS 3.46 source distributions are available on ftp.mozilla.org for secure HTTPS download:

   -  Source tarballs:
      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_46_RTM/src/

   Other releases are available :ref:`mozilla_projects_nss_nss_releases`.

.. _new_in_nss_3.46:

`New in NSS 3.46 <#new_in_nss_3.46>`__
--------------------------------------

.. container::

   This release contains no significant new functionality, but concentrates on providing improved
   performance, stability, and security.  Of particular note are significant improvements to AES-GCM
   performance on ARM.

.. _notable_changes_in_nss_3.46:

`Notable Changes in NSS 3.46 <#notable_changes_in_nss_3.46>`__
--------------------------------------------------------------

.. container::

.. _certificate_authority_changes:

`Certificate Authority Changes <#certificate_authority_changes>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   -  The following CA certificates were **Removed**:

      -  `Bug 1574670 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574670>`__ - Remove expired
         Class 2 Primary root certificate

         -  SHA-256 Fingerprint: 0F993C8AEF97BAAF5687140ED59AD1821BB4AFACF0AA9A58B5D57A338A3AFBCB

      -  `Bug 1574670 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574670>`__ - Remove expired
         UTN-USERFirst-Client root certificate

         -  SHA-256 Fingerprint: 43F257412D440D627476974F877DA8F1FC2444565A367AE60EDDC27A412531AE

      -  `Bug 1574670 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574670>`__ - Remove expired
         Deutsche Telekom Root CA 2 root certificate

         -  SHA-256 Fingerprint: B6191A50D0C3977F7DA99BCDAAC86A227DAEB9679EC70BA3B0C9D92271C170D3

      -  `Bug 1566569 <https://bugzilla.mozilla.org/show_bug.cgi?id=1566569>`__ - Remove Swisscom
         Root CA 2 root certificate

         -  SHA-256 Fingerprint: F09B122C7114F4A09BD4EA4F4A99D558B46E4C25CD81140D29C05613914C3841

.. _upcoming_changes_to_default_tls_configuration:

`Upcoming changes to default TLS configuration <#upcoming_changes_to_default_tls_configuration>`__
--------------------------------------------------------------------------------------------------

.. container::

   The next NSS team plans to make two changes to the default TLS configuration in NSS 3.47, which
   will be released in October:

   -  `TLS 1.3 <https://datatracker.ietf.org/doc/html/rfc8446>`__ will be the default maximum TLS
      version.  See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for
      details.
   -  `TLS extended master secret <https://datatracker.ietf.org/doc/html/rfc7627>`__ will be enabled
      by default, where possible.  See `Bug
      1575411 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575411>`__ for details.

.. _bugs_fixed_in_nss_3.46:

`Bugs fixed in NSS 3.46 <#bugs_fixed_in_nss_3.46>`__
----------------------------------------------------

.. container::

   -  `Bug 1572164 <https://bugzilla.mozilla.org/show_bug.cgi?id=1572164>`__ - Don't unnecessarily
      free session in NSC_WrapKey
   -  `Bug 1574220 <https://bugzilla.mozilla.org/show_bug.cgi?id=1574220>`__ - Improve controls
      after errors in tstcln, selfserv and vfyserv cmds
   -  `Bug 1550636 <https://bugzilla.mozilla.org/show_bug.cgi?id=1550636>`__ - Upgrade SQLite in NSS
      to a 2019 version
   -  `Bug 1572593 <https://bugzilla.mozilla.org/show_bug.cgi?id=1572593>`__ - Reset advertised
      extensions in ssl_ConstructExtensions
   -  `Bug 1415118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1415118>`__ - NSS build with
      ./build.sh --enable-libpkix fails
   -  `Bug 1539788 <https://bugzilla.mozilla.org/show_bug.cgi?id=1539788>`__ - Add length checks for
      cryptographic primitives
      (`CVE-2019-17006 <https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2019-17006>`__)
   -  `Bug 1542077 <https://bugzilla.mozilla.org/show_bug.cgi?id=1542077>`__ - mp_set_ulong and
      mp_set_int should return errors on bad values
   -  `Bug 1572791 <https://bugzilla.mozilla.org/show_bug.cgi?id=1572791>`__ - Read out-of-bounds in
      DER_DecodeTimeChoice_Util from SSLExp_DelegateCredential
   -  `Bug 1560593 <https://bugzilla.mozilla.org/show_bug.cgi?id=1560593>`__ - Cleanup.sh script
      does not set error exit code for tests that "Failed with core"
   -  `Bug 1566601 <https://bugzilla.mozilla.org/show_bug.cgi?id=1566601>`__ - Add Wycheproof test
      vectors for AES-KW
   -  `Bug 1571316 <https://bugzilla.mozilla.org/show_bug.cgi?id=1571316>`__ - curve25519_32.c:280:
      undefined reference to \`PR_Assert' when building NSS 3.45 on armhf-linux
   -  `Bug 1516593 <https://bugzilla.mozilla.org/show_bug.cgi?id=1516593>`__ - Client to generate
      new random during renegotiation
   -  `Bug 1563258 <https://bugzilla.mozilla.org/show_bug.cgi?id=1563258>`__ - fips.sh fails due to
      non-existent "resp" directories
   -  `Bug 1561598 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561598>`__ - Remove
      -Wmaybe-uninitialized warning in pqg.c
   -  `Bug 1560806 <https://bugzilla.mozilla.org/show_bug.cgi?id=1560806>`__ - Increase softoken
      password max size to 500 characters
   -  `Bug 1568776 <https://bugzilla.mozilla.org/show_bug.cgi?id=1568776>`__ - Output paths relative
      to repository in NSS coverity
   -  `Bug 1453408 <https://bugzilla.mozilla.org/show_bug.cgi?id=1453408>`__ - modutil -changepw
      fails in FIPS mode if password is an empty string
   -  `Bug 1564727 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564727>`__ - Use a PSS SPKI when
      possible for delegated credentials
   -  `Bug 1493916 <https://bugzilla.mozilla.org/show_bug.cgi?id=1493916>`__ - fix ppc64 inline
      assembler for clang
   -  `Bug 1561588 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561588>`__ - Remove
      -Wmaybe-uninitialized warning in p7env.c
   -  `Bug 1561548 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561548>`__ - Remove
      -Wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c
   -  `Bug 1512605 <https://bugzilla.mozilla.org/show_bug.cgi?id=1512605>`__ - Incorrect alert
      description after unencrypted Finished msg
   -  `Bug 1564715 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564715>`__ - Read /proc/cpuinfo
      when AT_HWCAP2 returns 0
   -  `Bug 1532194 <https://bugzilla.mozilla.org/show_bug.cgi?id=1532194>`__ - Remove or fix
      -DDEBUG_$USER from make builds
   -  `Bug 1565577 <https://bugzilla.mozilla.org/show_bug.cgi?id=1565577>`__ - Visual Studio's
      cl.exe -? hangs on Windows x64 when building nss since changeset
      9162c654d06915f0f15948fbf67d4103a229226f
   -  `Bug 1564875 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564875>`__ - Improve rebuilding
      with build.sh
   -  `Bug 1565243 <https://bugzilla.mozilla.org/show_bug.cgi?id=1565243>`__ - Support TC_OWNER
      without email address in nss taskgraph
   -  `Bug 1563778 <https://bugzilla.mozilla.org/show_bug.cgi?id=1563778>`__ - Increase maxRunTime
      on Mac taskcluster Tools, SSL tests
   -  `Bug 1561591 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561591>`__ - Remove
      -Wmaybe-uninitialized warning in tstclnt.c
   -  `Bug 1561587 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561587>`__ - Remove
      -Wmaybe-uninitialized warning in lgattr.c
   -  `Bug 1561558 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561558>`__ - Remove
      -Wmaybe-uninitialized warning in httpserv.c
   -  `Bug 1561556 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561556>`__ - Remove
      -Wmaybe-uninitialized warning in tls13esni.c
   -  `Bug 1561332 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561332>`__ - ec.c:28 warning:
      comparison of integers of different signs: 'int' and 'unsigned long'
   -  `Bug 1564714 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564714>`__ - Print certutil
      commands during setup
   -  `Bug 1565013 <https://bugzilla.mozilla.org/show_bug.cgi?id=1565013>`__ - HACL image builder
      times out while fetching gpg key
   -  `Bug 1563786 <https://bugzilla.mozilla.org/show_bug.cgi?id=1563786>`__ - Update hacl-star
      docker image to pull specific commit
   -  `Bug 1559012 <https://bugzilla.mozilla.org/show_bug.cgi?id=1559012>`__ - Improve GCM
      perfomance using PMULL2
   -  `Bug 1528666 <https://bugzilla.mozilla.org/show_bug.cgi?id=1528666>`__ - Correct resumption
      validation checks
   -  `Bug 1568803 <https://bugzilla.mozilla.org/show_bug.cgi?id=1568803>`__ - More tests for client
      certificate authentication
   -  `Bug 1564284 <https://bugzilla.mozilla.org/show_bug.cgi?id=1564284>`__ - Support profile
      mobility across Windows and Linux
   -  `Bug 1573942 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573942>`__ - Gtest for pkcs11.txt
      with different breaking line formats
   -  `Bug 1575968 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575968>`__ - Add strsclnt option
      to enforce the use of either IPv4 or IPv6
   -  `Bug 1549847 <https://bugzilla.mozilla.org/show_bug.cgi?id=1549847>`__ - Fix NSS builds on iOS
   -  `Bug 1485533 <https://bugzilla.mozilla.org/show_bug.cgi?id=1485533>`__ - Enable NSS_SSL_TESTS
      on taskcluster

   This Bugzilla query returns all the bugs fixed in NSS 3.46:

   https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.46

`Compatibility <#compatibility>`__
----------------------------------

.. container::

   NSS 3.46 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
   program linked with older NSS 3.x shared libraries will work with NSS 3.46 shared libraries
   without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
   to the functions listed in NSS Public Functions will remain compatible with future versions of
   the NSS shared libraries.

`Feedback <#feedback>`__
------------------------

.. container::

   Bugs discovered should be reported by filing a bug report with
   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).