* no releasenotes available yet
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.66_release_notes
- update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
- refreshed patches
- Firefox 90.0 requires NSS 3.66
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=361
* required by Firefox 63.0
Notable bug fixes
* NSS responded to an SSLv2-compatible ClientHello with a
ServerHello that had an all-zero random (CVE-2018-12384) (bmo#1483128)
New functionality
* The tstclnt and selfserv utilities added support for configuring
the enabled TLS signature schemes using the -J parameter.
* NSS will use RSA-PSS keys to authenticate in TLS. Support for
these keys is disabled by default but can be enabled using
SSL_SignatureSchemePrefSet().
* certutil added the ability to delete an orphan private key from
an NSS key database.
* Added the nss-policy-check utility, which can be used to check
an NSS policy configuration for problems.
* A PKCS#11 URI can be used as an identifier for a PKCS#11 token.
Notable changes
* The TLS 1.3 implementation uses the final version number from
RFC 8446.
* Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature
where the DigestInfo structure was missing the NULL parameter.
Starting with version 3.39, NSS requires the encoding to contain
the NULL parameter.
* The tstclnt and selfserv test utilities no longer accept the -z
parameter, as support for TLS compression was removed in a
previous NSS version.
* The CA certificates list was updated to version 2.26.
* The following CA certificates were Added:
- OU = GlobalSign Root CA - R6
- CN = OISTE WISeKey Global Root GC CA
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=272
* Packaging
+ removed obsolete patches
* nss-disable-expired-testcerts.patch
* bug-834091.patch
* New Functionality
+ Support for OCSP Stapling (RFC 6066, Certificate Status
Request) has been added for both client and server sockets.
TLS client applications may enable this via a call to
SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
+ Added function SECITEM_ReallocItemV2. It replaces function
SECITEM_ReallocItem, which is now declared as obsolete.
+ Support for single-operation (eg: not multi-part) symmetric
key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
+ certutil has been updated to support creating name constraints
extensions.
* New Functions
in ssl.h
SSL_PeerStapledOCSPResponse - Returns the server's stapled
OCSP response, when used with a TLS client socket that
negotiated the status_request extension.
SSL_SetStapledOCSPResponses - Set's a stapled OCSP response
for a TLS server socket to return when clients send the
status_request extension.
in ocsp.h
CERT_PostOCSPRequest - Primarily intended for testing, permits
the sending and receiving of raw OCSP request/responses.
in secpkcs7.h
SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7
signature at a specific time other than the present time.
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=124
