The NSS team has released Network Security Services (NSS) 3.24, which is a minor release.
Below is a short summary of the changes. Please refer to the full release notes for additional details. New functionality: * NSS softoken has been updated with the latest NIST guidance (as of 2015) * NSS softoken has also been updated to allow NSS to run in FIPS level-1 (no password). * SSL_ConfigServerCert function has been added for configuring SSL/TLS server sockets with a certificate and private key. This method should be used in preference to SSL_ConfigSecureServer, SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and SSL_SetSignedCertTimestamps. * Added PORTCheapArena for temporary arenas allocated on the stack. New Functions: * SSL_ConfigServerCert - Configures an SSL/TLS socket with a certificate, private key and other information. * PORT_InitCheapArena - This initializes an arena that was created on the stack. See PORTCheapArenaPool. * PORT_DestroyCheapArena - This destroys an arena that was created on the stack. See PORTCheapArenaPool. New Types * SSLExtraServerCertData - This struct is optionally passed as an argument to SSL_ConfigServerCert. It contains supplementary information about a certificate, such as the intended type of the certificate, stapled OCSP responses, or signed certificate timestamps (used for certificate transparency). * PORTCheapArenaPool - A stack-allocated arena pool, to be used for temporary arena allocations. New Macros * CKM_TLS12_MAC * SEC_OID_TLS_ECDHE_PSK - This OID is used to govern use of the TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is only used for session resumption in TLS 1.3. Notable Changes: * The following functions have been deprecated (applications should use the new SSL_ConfigServerCert function instead): * SSL_SetStapledOCSPResponses * SSL_SetSignedCertTimestamps * SSL_ConfigSecureServer * SSL_ConfigSecureServerWithCertChain * Function NSS_FindCertKEAType is now deprecated, as it reports a misleading value for certificates that might be used for signing rather than key exchange. * SSLAuthType has been updated to define a larger number of authentication key types. * The member attribute authAlgorithm of type SSLCipherSuiteInfo has been deprecated. Instead, applications should use the newly added attribute authType. * ssl_auth_rsa has been renamed to ssl_auth_rsa_decrypt. * On Linux platforms that define FREEBL_LOWHASH, a shared library has been added: libfreeblpriv3 * Most code related to the SSL v2 has been removed, including the ability to actively send a SSL v2 compatible client hello. However, the server side implementation of the SSL/TLS protocol continues to support processing of received v2 compatible client hello messages. * NSS supports a mechanism to log SSL/TLS key material to a logfile if the environment variable named SSLKEYLOGFILE is set. NSS has been changed to disable this functionality in optimized builds by default. In order to enable the functionality in optimized builds, the symbol NSS_ALLOW_SSLKEYLOGFILE must be defined when building NSS. * NSS has been updated to be protected against the Cachebleed attack. * Support for DTLS compression has been disabled. * Support for TLS 1.3 has been improved. This includes support for DTLS 1.3. Note that TLS 1.3 support is experimental and is not suitable for production use. The full release notes are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.24_release_notes The HG tag is NSS_3_24_RTM. NSS 3.24 requires NSPR 4.12 or newer. NSS 3.24 source distributions are available on ftp.mozilla.org for secure HTTPS download: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/ A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.24 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
