NSS 3.54 release notes¶
Introduction¶
The NSS team has released Network Security Services (NSS) 3.54 on 26 June 2020, which is a minor release.
Distribution Information¶
The HG tag is NSS_3_54_RTM. NSS 3.54 requires NSPR 4.26 or newer.
NSS 3.54 source distributions are available on ftp.mozilla.org for secure HTTPS download:
Other releases are available Release notes for recent versions of NSS.
Notable Changes in NSS 3.54¶
Support for TLS 1.3 external pre-shared keys (Bug 1603042).
Use ARM Cryptography Extension for SHA256, when available. (Bug 1528113).
Certificate Authority Changes¶
The following CA certificates were Added:
Bug 1645186 - certSIGN Root CA G2
SHA-256 Fingerprint: 657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305
Bug 1645174 - e-Szigno Root CA 2017
SHA-256 Fingerprint: BEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99
Bug 1641716 - Microsoft ECC Root Certificate Authority 2017
SHA-256 Fingerprint: 358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02
Bug 1641716 - Microsoft RSA Root Certificate Authority 2017
SHA-256 Fingerprint: C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0
The following CA certificates were Removed:
Bug 1645199 - AddTrust Class 1 CA Root
SHA-256 Fingerprint: 8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7
Bug 1645199 - AddTrust External CA Root
SHA-256 Fingerprint: 687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2
Bug 1641718 - LuxTrust Global Root 2
SHA-256 Fingerprint: 54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5
Bug 1639987 - Staat der Nederlanden Root CA - G2
SHA-256 Fingerprint: 668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F
Bug 1618402 - Symantec Class 2 Public Primary Certification Authority - G4
SHA-256 Fingerprint: FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592
Bug 1618402 - Symantec Class 1 Public Primary Certification Authority - G4
SHA-256 Fingerprint: 363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF
Bug 1618402 - VeriSign Class 3 Public Primary Certification Authority - G3
SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244
A number of certificates had their Email trust bit disabled. See Bug 1618402 for a complete list.
Bugs fixed in NSS 3.54¶
Bug 1528113 - Use ARM Cryptography Extension for SHA256.
Bug 1603042 - Add TLS 1.3 external PSK support.
Bug 1642802 - Add uint128 support for HACL* curve25519 on Windows.
Bug 1645186 - Add “certSIGN Root CA G2” root certificate.
Bug 1645174 - Add Microsec’s “e-Szigno Root CA 2017” root certificate.
Bug 1641716 - Add Microsoft’s non-EV root certificates.
Bug 1621151 - Disable email trust bit for “O=Government Root Certification Authority; C=TW” root.
Bug 1645199 - Remove AddTrust root certificates.
Bug 1641718 - Remove “LuxTrust Global Root 2” root certificate.
Bug 1639987 - Remove “Staat der Nederlanden Root CA - G2” root certificate.
Bug 1618402 - Remove Symantec root certificates and disable email trust bit.
Bug 1640516 - NSS 3.54 should depend on NSPR 4.26.
Bug 1642146 - Fix undefined reference to `PORT_ZAlloc_stub’ in seed.c.
Bug 1642153 - Fix infinite recursion building NSS.
Bug 1642638 - Fix fuzzing assertion crash.
Bug 1642871 - Enable SSL_SendSessionTicket after resumption.
Bug 1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
Bug 1643557 - Fix numerous compile warnings in NSS.
Bug 1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys.
Bug 1645479 - Don’t use SECITEM_MakeItem in secutil.c.
Bug 1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
This Bugzilla query returns all the bugs fixed in NSS 3.54:
Compatibility¶
NSS 3.54 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.54 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Feedback¶
Bugs discovered should be reported by filing a bug report with bugzilla.mozilla.org (product NSS).