NSS 3.31 release notes


The Network Security Services (NSS) team has released NSS 3.31, which is a minor release.

Distribution information

The hg tag is NSS_3_31_RTM. NSS 3.31 requires Netscape Portable Runtime (NSPR) 4.15 or newer.

NSS 3.31 source distributions are available on ftp.mozilla.org for secure HTTPS download:

New in NSS 3.31

New Functionality

  • Allow certificates to be specified by RFC7512 PKCS#11 URIs.

  • Allow querying a certificate object for its temporary or permanent storage status in a thread safe way.

New Functions

  • in cert.h

    • CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a certificate in a thread safe way.

    • CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a certificate in a thread safe way.

  • in pk11pub.h

    • PK11_FindCertFromURI - find a certificate identified by the given URI.

    • PK11_FindCertsFromURI - find a list of certificates identified by the given URI.

    • PK11_GetModuleURI - retrieve the URI of the given module.

    • PK11_GetTokenURI - retrieve the URI of a token based on the given slot information.

  • in pkcs11uri.h

    • PK11URI_CreateURI - create a new PK11URI object from a set of attributes.

    • PK11URI_DestroyURI - destroy a PK11URI object.

    • PK11URI_FormatURI - format a PK11URI object to a string.

    • PK11URI_GetPathAttribute - retrieve a path attribute with the given name.

    • PK11URI_GetQueryAttribute - retrieve a query attribute with the given name.

    • PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object.

New Macros

  • in pkcs11uri.h

    • Several new macros that start with PK11URI_PATTR_ for path attributes defined in RFC7512.

    • Several new macros that start with PK11URI_QATTR_ for query attributes defined in RFC7512.

Notable Changes in NSS 3.31

  • The APIs that set a TLS version range have been changed to trim the requested range to the overlap with a systemwide crypto policy, if configured. SSL_VersionRangeGetSupported can be used to query the overlap between the library’s supported range of TLS versions and the systemwide policy.

  • Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a failure if the requested version range wasn’t fully allowed by the systemwide crypto policy. They have been changed to return success, if at least one TLS version overlaps between the requested range and the systemwide policy. An application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to query the TLS version range that was effectively activated.

  • Corrected the encoding of Domain Name Constraints extensions created by certutil

  • NSS supports a clean seeding mechanism for *NIX systems now using only /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile time.

  • CERT_AsciiToName can handle OIDs in dotted decimal form now.


NSS 3.31 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.31 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.


Bugs discovered should be reported by filing a bug report with bugzilla.mozilla.org (product NSS).