- update to NSS 3.20
New functionality: * The TLS library has been extended to support DHE ciphersuites in server applications. New Functions: * SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group parameters that can be used by NSS for a server socket. * SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group parameters that are smaller than the library default's minimum size. New Types: * SSLDHEGroupType - Enumerates the set of DHE parameters embedded in NSS that can be used with function SSL_DHEGroupPrefSet. New Macros: * SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable DHE ciphersuites for a server socket. Notable Changes: * For backwards compatibility reasons, the server side implementation of the TLS library keeps all DHE ciphersuites disabled by default. They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API. * The server side implementation of the TLS implementation does not support session tickets when using a DHE ciphersuite (see bmo#1174677). * Support for the following ciphersuites has been added: - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * By default, the server side TLS implementation will use DHE parameters with a size of 2048 bits when using DHE ciphersuites. * NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and 8192 bits, which were copied from version 08 of the Internet-Draft OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=190
This commit is contained in:
parent
e87238be07
commit
371f571e08
@ -1,3 +1,78 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 24 09:39:17 UTC 2015 - wr@rosenauer.org
|
||||
|
||||
- update to NSS 3.20
|
||||
New functionality:
|
||||
* The TLS library has been extended to support DHE ciphersuites in
|
||||
server applications.
|
||||
New Functions:
|
||||
* SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group
|
||||
parameters that can be used by NSS for a server socket.
|
||||
* SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group
|
||||
parameters that are smaller than the library default's minimum size.
|
||||
New Types:
|
||||
* SSLDHEGroupType - Enumerates the set of DHE parameters embedded in
|
||||
NSS that can be used with function SSL_DHEGroupPrefSet.
|
||||
New Macros:
|
||||
* SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable
|
||||
DHE ciphersuites for a server socket.
|
||||
Notable Changes:
|
||||
* For backwards compatibility reasons, the server side implementation
|
||||
of the TLS library keeps all DHE ciphersuites disabled by default.
|
||||
They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE
|
||||
and the SSL_OptionSet or the SSL_OptionSetDefault API.
|
||||
* The server side implementation of the TLS implementation does not
|
||||
support session tickets when using a DHE ciphersuite (see bmo#1174677).
|
||||
* Support for the following ciphersuites has been added:
|
||||
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
|
||||
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
|
||||
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
|
||||
* By default, the server side TLS implementation will use DHE
|
||||
parameters with a size of 2048 bits when using DHE ciphersuites.
|
||||
* NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and
|
||||
8192 bits, which were copied from version 08 of the Internet-Draft
|
||||
"Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
|
||||
TLS", Appendix A.
|
||||
* A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a
|
||||
server application to select one or multiple of the embedded DHE
|
||||
parameters as the preferred parameters. The current implementation of
|
||||
NSS will always use the first entry in the array that is passed as a
|
||||
parameter to the SSL_DHEGroupPrefSet API. In future versions of the
|
||||
TLS implementation, a TLS client might signal a preference for
|
||||
certain DHE parameters, and the NSS TLS server side implementation
|
||||
might select a matching entry from the set of parameters that have
|
||||
been configured as preferred on the server side.
|
||||
* NSS optionally supports the use of weak DHE parameters with DHE
|
||||
ciphersuites to support legacy clients. In order to enable this
|
||||
support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each
|
||||
time this API is called for the first time in a process, a fresh set
|
||||
of weak DHE parameters will be randomly created, which may take a
|
||||
long amount of time. Please refer to the comments in the header file
|
||||
that declares the SSL_EnableWeakDHEPrimeGroup API for additional
|
||||
details.
|
||||
* The size of the default PQG parameters used by certutil when
|
||||
creating DSA keys has been increased to use 2048 bit parameters.
|
||||
* The selfserv utility has been enhanced to support the new DHE features.
|
||||
* NSS no longer supports C compilers that predate the ANSI C standard (C89).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 24 09:38:17 UTC 2015 - wr@rosenauer.org
|
||||
|
||||
- update to NSS 3.19.3; certstore updates only
|
||||
* The following CA certificates were removed
|
||||
- Buypass Class 3 CA 1
|
||||
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
|
||||
- SG TRUST SERVICES RACINE
|
||||
- TC TrustCenter Universal CA I
|
||||
- TC TrustCenter Class 2 CA II
|
||||
* The following CA certificate had the Websites trust bit turned off
|
||||
- ComSign Secured CA
|
||||
* The following CA certificates were added
|
||||
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
|
||||
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
|
||||
- Certinomis - Root CA
|
||||
* The version number of the updated root CA list has been set to 2.5
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 24 09:31:11 UTC 2015 - fstrba@suse.com
|
||||
|
||||
|
@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.10.8
|
||||
BuildRequires: pkg-config
|
||||
BuildRequires: sqlite-devel
|
||||
BuildRequires: zlib-devel
|
||||
Version: 3.19.2
|
||||
Version: 3.20
|
||||
Release: 0
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
@ -36,8 +36,8 @@ Summary: Network Security Services
|
||||
License: MPL-2.0
|
||||
Group: System/Libraries
|
||||
Url: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_RTM/src/nss-%{version}.tar.gz
|
||||
# hg clone https://hg.mozilla.org/projects/nss nss-3.19.2/nss ; cd nss-3.19.2/nss ; hg up NSS_3_19_2_RTM
|
||||
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/nss-%{version}.tar.gz
|
||||
# hg clone https://hg.mozilla.org/projects/nss nss-3.20/nss ; cd nss-3.20/nss ; hg up NSS_3_20_RTM
|
||||
#Source: nss-%{version}.tar.gz
|
||||
Source1: nss.pc.in
|
||||
Source3: nss-config.in
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1306663e8f61d8449ad8cbcffab743a604dcd9f6f34232c210847c51dce2c9ae
|
||||
size 6953657
|
3
nss-3.20.tar.gz
Normal file
3
nss-3.20.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c
|
||||
size 6955552
|
Loading…
Reference in New Issue
Block a user