NSS 3.45 release notes¶
The NSS team has released Network Security Services (NSS) 3.45 on 5 July 2019, which is a minor release.
The NSS team would like to recognize first-time contributors:
The HG tag is NSS_3_45_RTM. NSS 3.45 requires NSPR 4.21 or newer.
NSS 3.45 source distributions are available on ftp.mozilla.org for secure HTTPS download:
Other releases are available Release notes for recent versions of NSS.
New in NSS 3.45¶
PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets
*resultsto NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and
*resultswill be NULL.
Notable Changes in NSS 3.45¶
Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
This adds a new experimental function: SSL_DelegateCredential
Note: In 3.45,
selfservdoes not yet support delegated credentials. See Bug 1548360.
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set
SSLChannelInfo.authKeyBitsto that of the delegated credential for better policy enforcement. See Bug 1563078.
Bug 1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto
Bug 1551129 - Support static linking on Windows
Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot
Bug 1546229 - Add IPSEC IKE support to softoken
Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
Bug 1543874 - Expose an external clock for SSL
This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
Bug 1546477 - Various changes in response to the ongoing FIPS review
Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
Bugs fixed in NSS 3.45¶
Bug 1540541 - Don’t unnecessarily strip leading 0’s from key material during PKCS11 import (CVE-2019-11719)
Bug 1515342 - More thorough input checking (CVE-2019-11729)
Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727)
Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis)
Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis)
Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might have copied the unit test code verbatim
Bug 1550022 - Ensure nssutil3 gets built on Android
Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on failure
Bug 1549382 - Don’t leak in PKCS#11 modules if C_GetSlotInfo() returns error
Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors using NSS
Bug 1553443 - Send session ticket only after handshake is marked as finished
Bug 1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so builds
Bug 1554336 - Optimize away unneeded loop in mpi.c
Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn’t work
Bug 1561523 - Add a string for the new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
This Bugzilla query returns all the bugs fixed in NSS 3.45:
NSS 3.45 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.45 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report with bugzilla.mozilla.org (product NSS).