NSS 3.14.1 release notes


Network Security Services (NSS) 3.14.1 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.1 are described in the “Bugs Fixed” section below.

NSS 3.14.1 is licensed under the MPL 2.0.

Distribution Information

The CVS tag is NSS_3_14_1_RTM. NSS 3.14.1 requires NSPR 4.9.4 or newer.

NSS 3.14.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download:

New in NSS 3.14.1

New Functionality

  • NSS now has the ability to create signed OCSP responses.

    • The ability to create signed OCSP responses has been added in NSS 3.14.1. Note that this code is used primarily for purposes of testing.

New Functions

  • in ocspt.h

    • CERT_CreateOCSPSingleResponseGood

    • CERT_CreateOCSPSingleResponseUnknown

    • CERT_CreateOCSPSingleResponseRevoked

    • CERT_CreateEncodedOCSPSuccessResponse

    • CERT_CreateEncodedOCSPErrorResponse

New Types

  • in ocspt.h

    • CERTOCSPResponderIDType

Notable Changes in NSS 3.14.1

  • Windows CE support has been removed from the code base.

  • Bug 812399 - In NSS 3.14, a regression caused Bug 641052 / CVE-2011-3640 to be re-introduced under certain situations. This regression only affected applications that initialize NSS via the NSS_NoDB_Init function. NSS 3.14.1 includes the complete fix for this issue.

  • Bug 357025 - NSS 3.14 added support for tokens that make use of CKA_ALWAYS_AUTHENTICATE. However, when authenticating with such tokens, it was possible for an internal lock to be acquired twice, causing a hang. This hang has been fixed in NSS 3.14.1.

  • Bug 802429 - In previous versions of NSS, the “cipherOrder” slot configuration flag was not respected, causing the most recently added slot that supported the requested PKCS#11 mechanism to be used instead. NSS now correctly respects the supplied cipherOrder. Applications which use multiple PKCS#11 modules, which do not indicate which tokens should be used by default for particular algorithms, and which do make use of cipherOrder may now find that cryptographic operations occur on a different PKCS#11 token.

  • Bug 802429 - The NSS softoken is now the default token for SHA-256 and SHA-512. In previous versions of NSS, these algorithms would be handled by the most recently added PKCS#11 token that supported them.

  • Bug 611451 - When built with the current version of Apple XCode on Mac OS X, the NSS shared libraries will now only export the public NSS functions.

  • Bug 810582 - TLS False Start is now only used with servers that negotiate a cipher suite that supports forward secrecy. Note: The criteria for False Start may change again in future NSS releases.


NSS 3.14.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.14.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.


Bugs discovered in this release should be reported by filing a bug report at https://bugzilla.mozilla.org with the Product of NSS.