I just emailed the mailing list about it: bug 693228. It is a crashing bug in NSS_Init.
----- Original Message ----- > From: "Julien Pierre" <julien.pie...@oracle.com> > To: "Brian Smith" <bsm...@mozilla.com> > Cc: "mozilla's crypto code discussion list" > <dev-tech-crypto@lists.mozilla.org> > Sent: Tuesday, October 18, 2011 2:55:11 PM > Subject: Re: NSS 3.12.* maintanence after the NSS 3.13 release? > Brian, > > On 10/18/2011 14:42, Brian Smith wrote: > > There is one known regression. > Do you mean one separate from the SSL 2.0 change, and BEAST ? If so, > which one ? > > Also, the BEAST workaround is an incompatible change for some > > applications. > From what I have read of the BEAST workaround discussion, it breaks > certain older existing SSL servers, notably some of Oracle's servers > (not NSS based servers). But this only affects client code. > The reverse BEAST code change is is on the server side too. Do we know > that it breaks any old browsers ? > > I'm more concerned about server side. My understanding is that the > BEAST > workaround doesn't really help a server app. It is the client that > really needs to be patched for the specific exploit. The server cannot > really prevent the exploit with an SSL/TLS stack fix. The server-side > code change would help only if someone create a theoretical reverse > BEAST type of exploit. > > Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
