NSS 3.12.4 release notes


Newsgroup:mozilla.dev.tech.crypto .. rubric:: Introduction



Network Security Services (NSS) 3.12.4 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.4 are described in the “Bugs Fixed” section below.

NSS 3.12.4 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.

Distribution Information

This release is built from the source, at the CVS repository rooted at cvs.mozilla.org:/cvsroot, with the CVS tag NSS_3_12_4_RTM.

NSS 3.12.4 requires NSPR 4.8. This is not a hard requirement. Our QA tested NSS 3.12.4 with NSPR 4.8, but it should work with NSPR 4.7.1 or later.

You can check out the source from CVS by


cvs co -r NSPR_4_8_RTM NSPR cvs co -r NSS_3_12_4_RTM NSS

See the Documentation section for the build instructions.

NSS 3.12.4 source is also available on ftp.mozilla.org for secure HTTPS download:

Major changes in NSS 3.12.4

  • NSS 3.12.4 is the version that we submitted to NIST for FIPS 140-2 validation. Currently NSS 3.12.4 is in the “Review Pending” state in the FIPS 140-2 pre-validation list at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

  • Added CRL Distribution Point support (see cert.h). CERT_DecodeCRLIssuingDistributionPoint CERT_FindCRLIssuingDistPointExten

  • The old documentation of the expression matching syntax rules was incorrect, and the new corrected documentation is as follows for public nssutil functions (see portreq.h):

    • PORT_RegExpValid

    • PORT_RegExpSearch

    • PORT_RegExpCaseSearch

  • These functions will match a string with a shell expression. The expressions accepted are based loosely on the expressions accepted by zsh. Expected return values:

    • NON_SXP if exp is a standard string

    • INVALID_SXP if exp is a shell expression, but invalid

    • VALID_SXP if exp is a valid shell expression

    Expression matching rules:

    • * matches anything

    • ? matches one character

    • \ will escape a special character

    • $ matches the end of the string

    • Bracketed expressions: [abc] matches one occurrence of a, b, or c. [^abc] matches any character except a, b, or c. To be matched between [ and ], these characters must be escaped: \ ] No other characters need be escaped between brackets. Unnecessary escaping is permitted.

    • [a-z] matches any character between a and z, inclusive. The two range-definition characters must be alphanumeric ASCII. If one is upper case and the other is lower case, then the ASCII non-alphanumeric characters between Z and a will also be in range.

    • [^a-z] matches any character except those between a and z, inclusive. These forms cannot be combined, e.g [a-gp-z] does not work.

    • Exclusions: As a top level, outter-most expression only, the expression foo~bar will match the expression foo, provided it does not also match the expression bar. Either expression or both may be a union. Except between brackets, any unescaped ~ is an exclusion. At most one exclusion is permitted. Exclusions cannot be nested (contain other exclusions). example: *~abc will match any string except abc

    • Unions: (foo|bar) will match either the expression foo, or the expression bar. At least one ‘|’ separator is required. More are permitted. Expressions inside unions may not include unions or exclusions. Inside a union, to be matched and not treated as a special character, these characters must be escaped: \ ( | ) [ ~ except when they occur inside a bracketed expression, where only \ and ] require escaping.

  • New functions in the nss shared library:

    • PK11_IsInternalKeySlot (see pk11pub.h)

    • SECMOD_OpenNewSlot (see pk11pub.h)

  • New error codes (see secerr.h):



  • New OIDs (see secoidt.h)


  • The nssckbi PKCS #11 module’s version changed to 1.75.

  • Obsolete code for Win16 has been removed.

  • Support for OpenVMS has been removed.

Bugs Fixed

The following bugs have been fixed in NSS 3.12.4.

  • Bug 321755: implement crlDistributionPoint extension in libPKIX

  • Bug 391434: avoid multiple encoding/decoding of PKIX_PL_OID to and from ascii string

  • Bug 405297: Problems building nss/lib/ckfw/capi/ with MingW GCC

  • Bug 420991: libPKIX returns wrong NSS error code

  • Bug 427135: Add super-H (sh3,4) architecture support

  • Bug 431958: Improve DES and SHA512 for x86_64 platform

  • Bug 433791: Win16 support should be deleted from NSS

  • Bug 449332: SECU_ParseCommandLine does not validate its inputs

  • Bug 453735: When using cert9 (SQLite3) DB, set or change master password fails

  • Bug 463544: warning: passing enum* for an int* argument in pkix_validate.c

  • Bug 469588: Coverity errors reported for softoken

  • Bug 470055: pkix_HttpCertStore_FindSocketConnection reuses closed socket

  • Bug 470070: Multiple object leaks reported by tinderbox

  • Bug 470479: IO timeout during cert fetching makes libpkix abort validation.

  • Bug 470500: Firefox 3.1b2 Crash Report [[@ nssutil3.dll@0x34c0 ]

  • Bug 482742: Enable building util independently of the rest of nss

  • Bug 483653: unable to build certutil.exe for fennec/wince

  • Bug 485145: Miscellaneous crashes in signtool on Windows

  • Bug 485155: NSS_ENABLE_PKIX_VERIFY=1 causes sec_error_unknown_issuer errors

  • Bug 485527: Rename the _X86_ macro in lib/freebl

  • Bug 485658: vfychain -p reports revoked cert

  • Bug 485745: modify fipstest.c to support CAVS 7.1 DRBG testing

  • Bug 486304: cert7.db/cert8.db corruption when importing a large certificate (>64K)

  • Bug 486405: Allocator mismatches in pk12util.c

  • Bug 486537: Disable execstack in freebl x86_64 builds on Linux

  • Bug 486698: Facilitate the building of major components independently and in a chain manner by downstream distributions

  • Bug 486999: Calling SSL_SetSockPeerID a second time leaks the previous value

  • Bug 487007: Make lib/jar conform to NSS coding style

  • Bug 487162: ckfw/capi build failure on windows

  • Bug 487239: nssutil.rc doesn’t compile on WinCE

  • Bug 487254: sftkmod.c uses POSIX file IO Functions on WinCE

  • Bug 487255: sdb.c uses POSIX file IO Functions on WinCE

  • Bug 487487: CERT_NameToAscii reports !Invalid AVA! whenever value exceeds 384 bytes

  • Bug 487736: libpkix passes wrong argument to DER_DecodeTimeChoice and crashes

  • Bug 487858: Remove obsolete build options MOZILLA_SECURITY_BUILD and MOZILLA_BSAFE_BUILD

  • Bug 487884: object leak in libpkix library upon error

  • Bug 488067: PK11_ImportCRL reports SEC_ERROR_CRL_NOT_FOUND when it fails to import a CRL

  • Bug 488350: NSPR-free freebl interface need to do post tests only in fips mode.

  • Bug 488396: DBM needs to be FIPS certifiable.

  • Bug 488550: crash in certutil or pp when printing cert with empty subject name

  • Bug 488992: Fix lib/freebl/win_rand.c warnings

  • Bug 489010: stop exporting mktemp and dbopen (again)

  • Bug 489287: Resolve a few remaining issues with NSS’s new revocation flags

  • Bug 489710: byteswap optimize for MSVC++

  • Bug 490154: Cryptokey framework requires module to implement GenerateKey when they support KeyPairGeneration

  • Bug 491044: Remove support for VMS (a.k.a., OpenVMS) from NSS

  • Bug 491174: CERT_PKIXVerifyCert reports wrong error code when EE cert is expired

  • Bug 491919: cert.h doesn’t have valid functions prototypes

  • Bug 492131: A failure to import a cert from a P12 file leaves error code set to zero

  • Bug 492385: crash freeing named CRL entry on shutdown

  • Bug 493135: bltest crashes if it can’t open the input file

  • Bug 493364: can’t build with –disable-dbm option when not cross-compiling

  • Bug 493693: SSE2 instructions for bignum are not implemented on OS/2

  • Bug 493912: sqlite3_reset should be invoked in sdb_FindObjectsInit when error occurs

  • Bug 494073: update RSA/DSA powerupself tests to be compliant for 2011

  • Bug 494087: Passing NULL as the value of cert_pi_trustAnchors causes a crash in cert_pkixSetParam

  • Bug 494107: During NSS_NoDB_Init(), softoken tries but fails to load libsqlite3.so crash [@ @0x0 ]

  • Bug 495097: sdb_mapSQLError returns signed int

  • Bug 495103: NSS_InitReadWrite(sql:<dbdir>) causes NSS to look for sql:<dbdir>/libnssckbi.so

  • Bug 495365: Add const to the ‘nickname’ parameter of SEC_CertNicknameConflict

  • Bug 495656: NSS_InitReadWrite(sql:<configdir>) leaves behind a pkcs11.txu file if libnssckbi.so is in <configdir>.

  • Bug 495717: Unable to compile nss/cmd/certutil/keystuff.c on WinCE

  • Bug 496961: provide truncated HMAC support for testing tool fipstest

  • Bug 497002: Lab required nspr-free freebl changes.

  • Bug 497217: The first random value ever generated by the RNG should be discarded

  • Bug 498163: assert if profile path contains cyrillic chars. [[@isspace - secmod_argIsBlank - secmod_argHasBlanks - secmod_formatPair - secmod_mkNewModuleSpec]

  • Bug 498509: Produce debuggable optimized builds for Mozilla on MacOSX

  • Bug 498511: Produce debuggable optimized NSS builds for Mozilla on Linux

  • Bug 499385: DRBG Reseed function needs to be tested on POST

  • Bug 499825: utilrename.h is missing from Solaris packages

  • Bug 502961: Allocator mismatch in pk11mode

  • Bug 502965: Allocator mismatch in sdrtest

  • Bug 502972: Another allocator mismatch in sdrtest

  • Bug 504398: pkix_pl_AIAMgr_GetHTTPCerts could crash if SEC_GetRegisteredHttpClient fails

  • Bug 504405: pkix_pl_CrlDp_Create will fail on alloc success because of a missing !

  • Bug 504408: pkix_pl_CrlDp_Create will always fail if dp->distPointType != generalName

  • Bug 504456: Exploitable heap overflow in NSS shell expression (filename globbing) parsing

  • Bug 505559: Need function to identify the one and only default internal private key slot.

  • Bug 505561: Need a generic function a la SECMOD_OpenUserDB() that can be used on non-softoken modules.

  • Bug 505858: NSS_RegisterShutdown can return without unlocking nssShutdownList.lock

  • Bug 507041: Invalid build options for VC6

  • Bug 507228: coreconf.dep doesn’t need to contain the NSS version number

  • Bug 507422: crash [[@ PORT_FreeArena - lg_mkSecretKeyRep] when PORT_NewArena fails

  • Bug 507482: NSS 3.12.3 (and later) doesn’t build on AIX 5.1

  • Bug 507937: pwdecrypt program problems

  • Bug 508259: Pk11mode crashed on Linux2.4

  • Bug 508467: libpkix ocsp checker should use date argument to obtain the time for cert validity verification

  • Bug 510367: Fix the UTF8 characters in the nickname string for AC Raíz Certicamara S.A.


For a list of the primary NSS documentation pages on developer.mozilla.org, see NSS. New and revised documents available since the release of NSS 3.12 include the following:


NSS 3.12.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.4 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.


Bugs discovered should be reported by filing a bug report with mozilla.org Bugzilla (product NSS).