From 186557c50ad12d90e15e31c43d81871c2b7d7fcb03083298367c05b8df150e87 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Thu, 9 Jan 2014 10:24:37 +0000 Subject: [PATCH] * Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines. New functions * CERT_ForcePostMethodForOCSP * CERT_GetSubjectNameDigest * CERT_GetSubjectPublicKeyDigest * SSL_PeerCertificateChain * SSL_RecommendedCanFalseStart * SSL_SetCanFalseStartCallback New types * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST. OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=147 --- mozilla-nss.changes | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 9353416..eeb0005 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -4,8 +4,36 @@ Tue Jan 7 08:39:04 UTC 2014 - wr@rosenauer.org - update to 3.15.4 * required for Firefox 27 * regular CA root store update (1.96) - * some OSCP improvments - * other bugfixes + * Reordered the cipher suites offered in SSL/TLS client hello + messages to match modern best practices. + * Improved SSL/TLS false start. In addition to enabling the + SSL_ENABLE_FALSE_START option, an application must now register + a callback using the SSL_SetCanFalseStartCallback function. + * When false start is enabled, libssl will sometimes return + unencrypted, unauthenticated data from PR_Recv + (CVE-2013-1740, bmo#919877) + New functionality + * Implemented OCSP querying using the HTTP GET method, which is + the new default, and will fall back to the HTTP POST method. + * Implemented OCSP server functionality for testing purposes + (httpserv utility). + * Support SHA-1 signatures with TLS 1.2 client authentication. + * Added the --empty-password command-line option to certutil, + to be used with -N: use an empty password when creating a new + database. + * Added the -w command-line option to pp: don't wrap long output + lines. + New functions + * CERT_ForcePostMethodForOCSP + * CERT_GetSubjectNameDigest + * CERT_GetSubjectPublicKeyDigest + * SSL_PeerCertificateChain + * SSL_RecommendedCanFalseStart + * SSL_SetCanFalseStartCallback + New types + * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, + libpkix will never attempt to use the HTTP GET method for OCSP + requests; it will always use POST. - removed obsolete char.patch -------------------------------------------------------------------