diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 338bc47..78a8222 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,58 @@ +------------------------------------------------------------------- +Thu Feb 8 06:11:12 UTC 2018 - wr@rosenauer.org + +- update to NSS 3.35 + New functionality + * TLS 1.3 support has been updated to draft -23. This includes a + large number of changes since 3.34, which supported only draft + -18. See below for details. + New Types + * SSLHandshakeType - The type of a TLS handshake message. + * For the SSLSignatureScheme enum, the enumerated values + ssl_sig_rsa_pss_sha* are deprecated in response to a change in + TLS 1.3. Please use the equivalent ssl_sig_rsa_pss_rsae_sha* + for rsaEncryption keys, or ssl_sig_rsa_pss_pss_sha* for PSS keys. + Note that this release does not include support for the latter. + Notable Changes + * Previously, NSS used the DBM file format by default. Starting + with version 3.35, NSS uses the SQL file format by default. + Additional information can be found on this Fedora Linux project + page: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql + * Added formally verified implementations of non-vectorized Chacha20 + and non-vectorized Poly1305 64-bit. + * For stronger security, when creating encrypted PKCS#7 or PKCS#12 data, + the iteration count for the password based encryption algorithm + has been increased to one million iterations. Note that debug builds + will use a lower count, for better performance in test environments. + * NSS 3.30 had introduced a regression, preventing NSS from reading + some AES encrypted data, produced by older versions of NSS. + NSS 3.35 fixes this regression and restores the ability to read + affected data. + * The following CA certificates were Removed: + OU = Security Communication EV RootCA1 + CN = CA Disig Root R1 + CN = DST ACES CA X6 + Subject CN = VeriSign Class 3 Secure Server CA - G2 + * The Websites (TLS/SSL) trust bit was turned off for the following + CA certificates: + CN = Chambers of Commerce Root + CN = Global Chambersign Root + * TLS servers are able to handle a ClientHello statelessly, if the + client supports TLS 1.3. If the server sends a HelloRetryRequest, + it is possible to discard the server socket, and make a new socket + to handle any subsequent ClientHello. This better enables stateless + server operation. (This feature is added in support of QUIC, but it + also has utility for DTLS 1.3 servers.) + * The tstclnt utility now supports DTLS, using the -P option. Note that + a DTLS server is also provided in tstclnt. + * TLS compression is no longer possible with NSS. The option can be + enabled, but NSS will no longer negotiate compression. + * The signatures of functions SSL_OptionSet, SSL_OptionGet, + SSL_OptionSetDefault and SSL_OptionGetDefault have been modified, + to take a PRIntn argument rather than PRBool. This makes it clearer, + that options can have values other than 0 or 1. Note this does + not affect ABI compatibility, because PRBool is a typedef for PRIntn. + ------------------------------------------------------------------- Tue Jan 9 12:50:19 UTC 2018 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 3b0c366..a4f90de 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -2,7 +2,7 @@ # spec file for package mozilla-nss # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. -# Copyright (c) 2006-2017 Wolfgang Rosenauer +# Copyright (c) 2006-2018 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,15 +17,15 @@ # -%global nss_softokn_fips_version 3.34.1 +%global nss_softokn_fips_version 3.35 Name: mozilla-nss BuildRequires: gcc-c++ -BuildRequires: mozilla-nspr-devel >= 4.17 +BuildRequires: mozilla-nspr-devel >= 4.18 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.34.1 +Version: 3.35 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_34_1_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.34.1/nss ; cd nss-3.34.1/nss ; hg up NSS_3_34_1_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_35_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.35/nss ; cd nss-3.35/nss ; hg up NSS_3_35_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -88,7 +88,7 @@ Summary: Network (Netscape) Security Services development files Group: Development/Libraries/C and C++ Requires: libfreebl3 Requires: libsoftokn3 -Requires: mozilla-nspr-devel >= 4.17 +Requires: mozilla-nspr-devel >= 4.18 Requires: mozilla-nss = %{version}-%{release} # bug437293 %ifarch ppc64 diff --git a/nss-3.34.1.tar.gz b/nss-3.34.1.tar.gz deleted file mode 100644 index 98622ed..0000000 --- a/nss-3.34.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a3c15d367caf784f33d96dbafbdffc16a8e42fb8c8aedfce97bf92a9f918dda0 -size 9562876 diff --git a/nss-3.35.tar.gz b/nss-3.35.tar.gz new file mode 100644 index 0000000..d65fb97 --- /dev/null +++ b/nss-3.35.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f4127de09bede39f5fd0f789d33c3504c5d261e69ea03022d46b319b3e32f6fa +size 9620041