4.3 Release Notes¶
Network Security Services for Java (JSS) 4.3 is a minor release with the following new features:
SQLite-Based Shareable Certificate and Key Databases
libpkix: an RFC 3280 Compliant Certificate Path Validation Library
PKCS11 needsLogin method
support HmacSHA256, HmacSHA384, and HmacSHA512
support for all NSS 3.12 initialization options
JSS 4.3 is tri-licensed under MPL 1.1/GPL 2.0/LGPL 2.1.
A list of bug fixes and enhancement requests were implemented in this release can be obtained by running this bugzilla query
JSS 4.3 requiresNSS 3.12or higher.
New SQLite-Based Shareable Certificate and Key Databases by prepending the string “sql:” to the directory path passed to configdir parameter for Crypomanager.initialize method or using the NSS environment variable NSS environment variables.
Libpkix: an RFC 3280 Compliant Certificate Path Validation Library (see PKIXVerify)
PK11Token.needsLogin method (see needsLogin)
support HmacSHA256, HmacSHA384, and HmacSHA512 (see HMACTest.java)
support for all NSS 3.12 initialization options (see InitializationValues)
New SSL error codes (see https://mxr.mozilla.org/security/sour…util/SSLerrs.h)
SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT SSL_ERROR_UNRECOGNIZED_NAME_ALERT SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT
New TLS cipher suites (see https://mxr.mozilla.org/security/sour…SSLSocket.java):
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Note: the following TLS cipher suites are declared but are not yet implemented:
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_RC4_128_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA
JSS is checked into
The CVS tag for the JSS 4.3 release is
Source tarballs are available from https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/src/jss-4.3.tar.bz2
Binary releases are no longer available on mozilla. JSS is a JNI library we provide the jss4.jar but expect you to build the JSS’s matching JNI shared library. We provide the jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a JCE provider and therefore the jss4.jar must be signed. https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/
Documentation for JSS 4.3 is available as follows:
For a list of reported bugs that have not yet been fixed, click here. Note that some bugs may have been fixed since JSS 4.3 was released.
JSS 4.3 is backwards compatible with JSS 4.2. Applications compiled against JSS 4.2 will work with JSS 4.3.
The 4.3 version of libjss4.so/jss4.dll must only be used with jss4.jar. In general, a JSS JAR file must be used with the JSS shared library from the exact same release.
To obtain the version info from the jar file use, “System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)” and to check the shared library: strings libjss4.so | grep -i header