-version 3.15.2
- Support for AES-GCM ciphersuites that use the SHA-256 PRF
- MD2, MD4, and MD5 signatures are no longer accepted for OCSP
or CRLs,
- Add PK11_CipherFinal macro
- sizeof() used incorrectly
- nssutil_ReadSecmodDB() leaks memory
- Allow SSL_HandshakeNegotiatedExtension to be called before
the handshake is finished.
- Deprecate the SSL cipher policy code
- (CVE-2013-1739) Avoid uninitialized data read in the
event of a decryption failure.
OBS-URL: https://build.opensuse.org/request/show/201249
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=133
* TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites
(RFC 5246 and RFC 5289) are supported, allowing TLS to be used
without MD5 and SHA-1.
Note the following limitations:
The hash function used in the signature for TLS 1.2 client
authentication must be the hash function of the TLS 1.2 PRF,
which is always SHA-256 in NSS 3.15.1.
AES GCM cipher suites are not yet supported.
* some bugfixes and improvements
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=128
* Packaging
+ removed obsolete patches
* nss-disable-expired-testcerts.patch
* bug-834091.patch
* New Functionality
+ Support for OCSP Stapling (RFC 6066, Certificate Status
Request) has been added for both client and server sockets.
TLS client applications may enable this via a call to
SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
+ Added function SECITEM_ReallocItemV2. It replaces function
SECITEM_ReallocItem, which is now declared as obsolete.
+ Support for single-operation (eg: not multi-part) symmetric
key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
+ certutil has been updated to support creating name constraints
extensions.
* New Functions
in ssl.h
SSL_PeerStapledOCSPResponse - Returns the server's stapled
OCSP response, when used with a TLS client socket that
negotiated the status_request extension.
SSL_SetStapledOCSPResponses - Set's a stapled OCSP response
for a TLS server socket to return when clients send the
status_request extension.
in ocsp.h
CERT_PostOCSPRequest - Primarily intended for testing, permits
the sending and receiving of raw OCSP request/responses.
in secpkcs7.h
SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7
signature at a specific time other than the present time.
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=124
* No new major functionality is introduced in this release. This
release is a patch release to address CVE-2013-1620 (bmo#822365)
* "certutil -a" was not correctly producing ASCII output as
requested. (bmo#840714)
* NSS 3.14.2 broke compilation with older versions of sqlite that
lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now
properly compiles when used with older versions of sqlite
(bmo#837799) - remove system-sqlite.patch
- add aarch64 support
- added system-sqlite.patch (bmo#837799)
* do not depend on latest sqlite just for a #define
- enable system sqlite usage again
- update to 3.14.2
* required for Firefox >= 20
* removed obsolete nssckbi update patch
- disable system sqlite usage since we depend on 3.7.15 which is
not provided in any openSUSE distribution
* add nss-sqlitename.patch to avoid any name clash
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=116
* Support for TLS 1.1 (RFC 4346)
* Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
* Support for AES-CTR, AES-CTS, and AES-GCM
* Support for Keying Material Exporters for TLS (RFC 5705)
* Support for certificate signatures using the MD5 hash algorithm
is now disabled by default
* The NSS license has changed to MPL 2.0. Previous releases were
released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more
information about MPL 2.0, please see
http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional
explanation on GPL/LGPL compatibility, see security/nss/COPYING
in the source code.
* Export and DES cipher suites are disabled by default. Non-ECC
AES and Triple DES cipher suites are enabled by default
- disabled OCSP testcases since they need external network
(nss-disable-ocsp-test.patch)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=105
* better SHA-224 support (bmo#647706)
* fixed a regression (causing hangs in some situations)
introduced in 3.13 (bmo#693228)
- update to 3.13.0 RTM
* SSL 2.0 is disabled by default
* A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext
attack demonstrated by Rizzo and Duong (CVE-2011-3389) is
enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to
PR_FALSE to disable it.
* SHA-224 is supported
* Ported to iOS. (Requires NSPR 4.9.)
* Added PORT_ErrorToString and PORT_ErrorToName to return the
error message and symbolic name of an NSS error code
* Added NSS_GetVersion to return the NSS version string
* Added experimental support of RSA-PSS to the softoken only
* NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db
anymore (bmo#641052, bnc#726096)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=89