016b870c09
* MFSA 2015-150/CVE-2015-7575 (bmo#1158489) MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature
Wolfgang Rosenauer
2015-12-26 07:22:03 +00:00
3463e0c188
- update to NSS 3.20.2 (bnc#959888)
Wolfgang Rosenauer
2015-12-23 12:24:51 +00:00
7b02230ef1
- update to NSS 3.20.2 - update to NSS 3.20.1 (bnc#952810)
Wolfgang Rosenauer
2015-12-20 10:13:48 +00:00
262b0bfec9
- update to NSS 4.20.2
Wolfgang Rosenauer
2015-12-19 17:14:46 +00:00
107f9eab33
- update to NSS 4.20.1 * requires NSPR 4.10.10
Wolfgang Rosenauer
2015-10-31 09:29:52 +00:00
16cc82dd1a
Accepting request 335620 from mozilla:Factory
Stephan Kulow
2015-10-03 18:28:20 +00:00
4453cedcca
Accepting request 333502 from Java:Factory
Wolfgang Rosenauer
2015-09-24 17:37:48 +00:00
371f571e08
- update to NSS 3.20 New functionality: * The TLS library has been extended to support DHE ciphersuites in server applications. New Functions: * SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group parameters that can be used by NSS for a server socket. * SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group parameters that are smaller than the library default's minimum size. New Types: * SSLDHEGroupType - Enumerates the set of DHE parameters embedded in NSS that can be used with function SSL_DHEGroupPrefSet. New Macros: * SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable DHE ciphersuites for a server socket. Notable Changes: * For backwards compatibility reasons, the server side implementation of the TLS library keeps all DHE ciphersuites disabled by default. They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API. * The server side implementation of the TLS implementation does not support session tickets when using a DHE ciphersuite (see bmo#1174677). * Support for the following ciphersuites has been added: - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * By default, the server side TLS implementation will use DHE parameters with a size of 2048 bits when using DHE ciphersuites. * NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and 8192 bits, which were copied from version 08 of the Internet-Draft
Wolfgang Rosenauer
2015-09-24 10:20:12 +00:00
e87238be07
Accepting request 333436 from Java:Factory
Wolfgang Rosenauer
2015-09-24 09:37:13 +00:00
7bca256381
Accepting request 315776 from mozilla:Factory
Stephan Kulow
2015-07-19 09:44:24 +00:00
11da47024a
(MFSA 2015-70/CVE-2015-4000) * NSS incorrectly permits skipping of ServerKeyExchange (bmo#1086145) (MFSA 2015-71/CVE-2015-2721)
Wolfgang Rosenauer
2015-07-03 05:51:39 +00:00
b075d41608
Accepting request 313427 from home:msmeissn:branches:mozilla:Factory
Wolfgang Rosenauer
2015-06-24 17:52:00 +00:00
c13c2fe84e
- update to 3.19.2 * required for Firefox 39.0 * No new functionality is introduced in this release. This release addresses a backwards compatibility issue with the NSS 3.19.1 release. * In NSS 3.19.1, the minimum key sizes that the freebl cryptographic implementation (part of the softoken cryptographic module used by default by NSS) was willing to generate or use was increased - for RSA keys, to 512 bits, and for DH keys, 1023 bits. This was done as part of a security fix for Bug 1138554 / CVE-2015-4000. Applications that requested or attempted to use keys smaller then the minimum size would fail. However, this change in behaviour unintentionally broke existing NSS applications that need to generate or use such keys, via APIs such as SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey.
Wolfgang Rosenauer
2015-06-23 06:04:19 +00:00
8cb655bd59
- update to 3.19.1 No new functionality is introduced in this release. This patch release includes a fix for the recently published logjam attack. Notable Changes: * The minimum strength of keys that libssl will accept for finite field algorithms (RSA, Diffie-Hellman, and DSA) have been increased to 1023 bits (bmo#1138554). * NSS reports the bit length of keys more accurately. Thus, the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits functions could report smaller values for values that have leading zero values. This affects the key strength values that are reported by SSL_GetChannelInfo.
Wolfgang Rosenauer
2015-05-31 13:26:05 +00:00
fac2c66773
- update to 3.19 * Firefox target release 39 New functionality: * For some certificates, such as root CA certificates, that don't embed any constraints, NSS might impose additional constraints, such as name constraints. A new API has been added that allows to lookup imposed constraints. * It is possible to override the directory in which the NSS build system will look for the sqlite library. New Functions: * CERT_GetImposedNameConstraints Notable Changes: * The SSL 3 protocol has been disabled by default. * NSS now more strictly validates TLS extensions and will fail a handshake that contains malformed extensions. * Fixed a bug related to the ordering of TLS handshake messages. * In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm, in order to be compatible with TLS servers that use certificates with a SHA512 signature.
Wolfgang Rosenauer
2015-05-23 08:54:34 +00:00
c298c0a55c
Accepting request 303844 from mozilla:Factory
Stephan Kulow
2015-04-25 14:47:27 +00:00
aac1edd658
- update to 3.18.1 * Firefox target release 38 * No new functionality is introduced in this release. Notable Changes: * The following CA certificate had the Websites and Code Signing trust bits restored to their original state to allow more time to develop a better transition strategy for affected sites: - OU = Equifax Secure Certificate Authority * The following CA certificate was removed: - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi * The following intermediate CA certificate has been added as actively distrusted because it was mis-used to issue certificates for domain names the holder did not own or control: - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG * The version number of the updated root CA list has been set to 2.4
Wolfgang Rosenauer
2015-04-23 06:38:33 +00:00
61e5bbef43
- add the changes file as source so the .src.rpm builds (used for fake build time)
Wolfgang Rosenauer
2015-04-03 20:30:47 +00:00
7803242e62
- update to 3.18 * Firefox target release 38 New functionality: * When importing certificates and keys from a PKCS#12 source, it's now possible to override the nicknames, prior to importing them into the NSS database, using new API SEC_PKCS12DecoderRenameCertNicknames. * The tstclnt test utility program has new command-line options -C, -D, -b and -R. Use -C one, two or three times to print information about the certificates received from a server, and information about the locally found and trusted issuer certificates, to diagnose server side configuration issues. It is possible to run tstclnt without providing a database (-D). A PKCS#11 library that contains root CA certificates can be loaded by tstclnt, which may either be the nssckbi library provided by NSS (-b) or another compatible library (-R). New Functions: * SEC_CheckCrlTimes * SEC_GetCrlTimes * SEC_PKCS12DecoderRenameCertNicknames New Types: * SEC_PKCS12NicknameRenameCallback Notable Changes: * The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from DTLS 1.0 to DTLS 1.2. * The default key size used by certutil when creating an RSA key pair has been increased from 1024 bits to 2048 bits.
Wolfgang Rosenauer
2015-04-03 08:58:03 +00:00
7e56ae74c1
- update to 3.17.4 * Firefox target release 36 Notable Changes: * bmo#1084986: If an SSL/TLS connection fails, because client and server don't have any common protocol version enabled, NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting SSL_ERROR_NO_CYPHER_OVERLAP). * bmo#1112461: libpkix was fixed to prefer the newest certificate, if multiple certificates match. * bmo#1094492: fixed a memory corruption issue during failure of keypair generation. * bmo#1113632: fixed a failure to reload a PKCS#11 module in FIPS mode. * bmo#1119983: fixed interoperability of NSS server code with a LibreSSL client.
Wolfgang Rosenauer
2015-01-31 18:08:08 +00:00
f2d1031ce6
- update to 3.17.3 * Firefox target release 36 New functionality: * Support for TLS_FALLBACK_SCSV has been added to the ssltap and tstclnt utilities Notable Changes: * The QuickDER decoder now decodes lengths robustly (CVE-2014-1569) * The following 1024-bit CA certificates were removed: - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 * The following CA certificates had the Websites and Code Signing trust bits turned off: - Class 3 Public Primary Certification Authority - G2 - Equifax Secure eBusiness CA-1 * The following CA certificates were added: - COMODO RSA Certification Authority - USERTrust RSA Certification Authority - USERTrust ECC Certification Authority - GlobalSign ECC Root CA - R4 - GlobalSign ECC Root CA - R5 * the version number of the updated root CA list has been set to 2.2
Wolfgang Rosenauer
2014-12-27 12:24:22 +00:00
1aee2e618e
Accepting request 258176 from mozilla:Factory
Stephan Kulow
2014-10-29 20:09:05 +00:00
99b3c1bb3c
- update to 3.17.2 Bugfix release * bmo#1049435 - Importing an RSA private key fails if p < q * bmo#1057161 - NSS hangs with 100% CPU on invalid EC key * bmo#1078669 - certutil crashes when using the --certVersion parameter
Wolfgang Rosenauer
2014-10-16 19:19:00 +00:00
cf6015d61e
Accepting request 251989 from mozilla:Factory
Stephan Kulow
2014-10-01 09:22:06 +00:00
d2eba15b73
* MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405) RSA Signature Forgery in NSS
Wolfgang Rosenauer
2014-09-24 19:29:06 +00:00
3fb5d49790
- update to 3.17.1 (bnc#897890) * Change library's signature algorithm default to SHA256 * Add support for draft-ietf-tls-downgrade-scsv * Add clang-cl support to the NSS build system * Implement TLS 1.3: * Part 1. Negotiate TLS 1.3 * Part 2. Remove deprecated cipher suites andcompression. * Add support for little-endian powerpc64
Wolfgang Rosenauer
2014-09-23 21:39:14 +00:00
a2c74afcaf
Accepting request 247562 from mozilla:Factory
Stephan Kulow
2014-09-08 19:28:11 +00:00
8b17b48d47
- update to 3.17 * required for Firefox 33 New functionality: * When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH key is reused for multiple handshakes. This option does not affect the TLS client code, which always generates a fresh ephemeral ECDH key for each handshake. New Macros * SSL_REUSE_SERVER_ECDHE_KEY Notable Changes: * The manual pages for the certutil and pp tools have been updated to document the new parameters that had been added in NSS 3.16.2. * On Windows, the new build variable USE_STATIC_RTL can be used to specify the static C runtime library should be used. By default the dynamic C runtime library is used.
Wolfgang Rosenauer
2014-09-04 13:58:20 +00:00
9fb0f9587a
- update to 3.16.4 (bnc#894201)
Wolfgang Rosenauer
2014-09-02 18:14:14 +00:00
7c23619d74
Accepting request 244502 from mozilla:Factory
Ludwig Nussel2014-08-15 07:58:16 +00:00
c133651414
- update to 3.16.4 * now required for Firefox 32 Notable Changes: * The following 1024-bit root CA certificate was restored to allow more time to develop a better transition strategy for affected sites. It was removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers. - CN = GTE CyberTrust Global Root * In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit intermediate CA certificate has been included, without explicit trust. The intention is to mitigate the effects of the previous removal of the 1024-bit Entrust.net root certificate, because many public Internet sites still use the "USERTrust Legacy Secure Server CA" intermediate certificate that is signed by the 1024-bit Entrust.net root certificate. The inclusion of the intermediate certificate is a temporary measure to allow those sites to function, by allowing them to find a trust path to another 2048-bit root CA certificate. The temporarily included intermediate certificate expires November 1, 2015.
Wolfgang Rosenauer
2014-08-12 11:04:16 +00:00
d826e8dd6d
Accepting request 240770 from mozilla:Factory
Stephan Kulow
2014-07-21 19:38:54 +00:00
0505423d6d
- update to 3.16.3 * required for Firefox 32 New Functions: * CERT_GetGeneralNameTypeFromString (This function was already added in NSS 3.16.2, however, it wasn't declared in a public header file.) Notable Changes: * The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - GTE CyberTrust Global Root - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority * Additionally, the following CA certificate was removed as requested by the CA: - TDC Internet Root CA * The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 * The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2
Wolfgang Rosenauer
2014-07-05 13:02:10 +00:00
01bbbc1e3d
Accepting request 233606 from mozilla:Factory
Stephan Kulow
2014-05-13 18:47:44 +00:00
8f1ab3a949
- update to 3.16.1 * required for Firefox 31 New functionality: * Added the "ECC" flag for modutil to select the module used for elliptic curve cryptography (ECC) operations. New Functions: * PK11_ExportDERPrivateKeyInfo/PK11_ExportPrivKeyInfo exports a private key in a DER-encoded ASN.1 PrivateKeyInfo type or a SECKEYPrivateKeyInfo structure. Only RSA private keys are supported now. * SECMOD_InternalToPubMechFlags converts from NSS-internal to public representation of mechanism flags New Types: * ssl_padding_xtn the value of this enum constant changed from the experimental value 35655 to the IANA-assigned value 21 New Macros * PUBLIC_MECH_ECC_FLAG a public mechanism flag for elliptic curve cryptography (ECC) operations * SECMOD_ECC_FLAG an NSS-internal mechanism flag for elliptic curve cryptography (ECC) operations. This macro has the same numeric value as PUBLIC_MECH_ECC_FLAG. Notable Changes: * Imposed name constraints on the French government root CA ANSSI (DCISS).
Wolfgang Rosenauer
2014-05-08 06:02:59 +00:00
4ebbb77c33
Accepting request 228183 from mozilla:Factory
Stephan Kulow
2014-04-01 04:46:22 +00:00
b45e5b8ae6
- update to 3.16 * required for Firefox 29 * bmo#903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Supports the Linux x32 ABI. To build for the Linux x32 target, set the environment variable USE_X32=1 when building NSS. New Functions: * NSS_CMSSignerInfo_Verify New Macros * TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc., cipher suites that were first defined in SSL 3.0 can now be referred to with their official IANA names in TLS, with the TLS_ prefix. Previously, they had to be referred to with their names in SSL 3.0, with the SSL_ prefix. Notable Changes: * ECC is enabled by default. It is no longer necessary to set the environment variable NSS_ENABLE_ECC=1 when building NSS. To disable ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS. * libpkix should not include the common name of CA as DNS names when evaluating name constraints. * AESKeyWrap_Decrypt should not return SECSuccess for invalid keys. * Fix a memory corruption in sec_pkcs12_new_asafe. * If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime test sdb_measureAccess. * The built-in roots module has been updated to version 1.97, which adds, removes, and distrusts several certificates. * The atob utility has been improved to automatically ignore lines of text that aren't in base64 format.
Wolfgang Rosenauer
2014-03-21 21:54:13 +00:00
47108391e0
Accepting request 223809 from mozilla:Factory
Stephan Kulow
2014-02-26 22:20:34 +00:00
ceb833b465
- update to 3.15.5 * required for Firefox 28 * export FREEBL_LOWHASH to get the correct default headers (bnc#865539) New functionality * Added support for the TLS application layer protocol negotiation (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both) should be used for application layer protocol negotiation. * Added the TLS padding extension. The extension type value is 35655, which may change when an official extension type value is assigned by IANA. NSS automatically adds the padding extension to ClientHello when necessary. * Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting the tail of a CERTCertList. Notable Changes * bmo#950129: Improve the OCSP fetching policy when verifying OCSP responses * bmo#949060: Validate the iov input argument (an array of PRIOVec structures) of ssl_WriteV (called via PR_Writev). Applications should still take care when converting struct iov to PRIOVec because the iov_len members of the two structures have different types (size_t vs. int). size_t is unsigned and may be larger than int.
Wolfgang Rosenauer
2014-02-25 12:02:07 +00:00
d377e44364
Accepting request 223209 from home:aeneas_jaissle:branches:mozilla:Factory
Wolfgang Rosenauer
2014-02-20 12:04:07 +00:00
3d05b3f5d6
Accepting request 220922 from mozilla:Factory
Stephan Kulow
2014-02-06 06:06:30 +00:00
186557c50a
* Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines. New functions * CERT_ForcePostMethodForOCSP * CERT_GetSubjectNameDigest * CERT_GetSubjectPublicKeyDigest * SSL_PeerCertificateChain * SSL_RecommendedCanFalseStart * SSL_SetCanFalseStartCallback New types * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.
Wolfgang Rosenauer
2014-01-09 10:24:37 +00:00
58591dfdb2
- update to 3.15.4 * required for Firefox 27 * regular CA root store update (1.96) * some OSCP improvments * other bugfixes - removed obsolete char.patch
Wolfgang Rosenauer
2014-01-07 08:49:30 +00:00
a73555f5b8
Accepting request 210076 from mozilla:Factory
Stephan Kulow
2013-12-10 16:43:53 +00:00
09fb13cf21
- update to 3.15.3.1 (bnc#854367) * includes certstore update (1.95) (bmo#946351) (explicitely distrust AC DG Tresor SSL)
Wolfgang Rosenauer
2013-12-09 12:35:34 +00:00
a24fc6f228
Accepting request 209434 from mozilla:Factory
Stephan Kulow
2013-12-07 06:46:23 +00:00
a86677e628
Accepting request 209419 from openSUSE:Factory:PowerLE
Wolfgang Rosenauer
2013-12-04 17:44:48 +00:00
c284190dfc
Accepting request 206762 from mozilla:Factory
Stephan Kulow
2013-11-20 09:48:47 +00:00
38ebd6f8e7
- update to 3.15.3 (bnc#850148) * fix CVE-2013-5605
Wolfgang Rosenauer
2013-11-12 20:37:56 +00:00
d14ddaa1f0
- update to 3.15.3 * CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates, when the CERTVerifyLog log parameter is given (bmo#910438) * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello (bmo#919677)
Wolfgang Rosenauer
2013-11-11 22:19:45 +00:00
7b55833f6c
Accepting request 201263 from mozilla:Factory
Stephan Kulow
2013-09-29 15:50:27 +00:00
5e4a477e3f
- update to 3.15.2 (bnc#842979)
Wolfgang Rosenauer
2013-09-28 08:24:06 +00:00
5163190a91
- version 3.15.2 * Support for AES-GCM ciphersuites that use the SHA-256 PRF * MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs * Add PK11_CipherFinal macro * sizeof() used incorrectly * nssutil_ReadSecmodDB() leaks memory * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. * Deprecate the SSL cipher policy code * Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739)
Wolfgang Rosenauer
2013-09-28 08:17:22 +00:00
a2949dce64
Accepting request 201249 from home:elvigia:branches:mozilla:Factory
Wolfgang Rosenauer
2013-09-28 08:13:46 +00:00
cd0c020b2e
Accepting request 182306 from mozilla:Factory
Stephan Kulow
2013-07-05 18:37:37 +00:00
7dddfd6c24
Accepting request 182277 from home:lnussel:branches:Base:System
Wolfgang Rosenauer
2013-07-05 12:48:09 +00:00
e071638690
Accepting request 181869 from mozilla:Factory
Stephan Kulow
2013-07-04 08:11:56 +00:00
997d66ac8e
rebase patch
Wolfgang Rosenauer
2013-07-03 12:27:52 +00:00
1256cc6819
- update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements
Wolfgang Rosenauer
2013-07-03 12:00:07 +00:00
80c4a0174f
Accepting request 181778 from home:lnussel:branches:Base:System
Wolfgang Rosenauer
2013-07-03 10:36:27 +00:00
4089d6b89b
Accepting request 178606 from mozilla:Factory
Stephan Kulow
2013-06-14 14:46:40 +00:00
506ad33ba3
- update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time.
Wolfgang Rosenauer
2013-06-11 15:41:13 +00:00
9fbe48bbad
Accepting request 173001 from mozilla:Factory
Stephan Kulow
2013-04-24 08:47:42 +00:00
ddbab3a3b8
Accepting request 171078 from home:namtrac:bugfix
Wolfgang Rosenauer
2013-04-16 11:16:38 +00:00
35724cb521
Accepting request 162347 from mozilla:Factory
Stephan Kulow
2013-04-05 07:29:13 +00:00
a1f8432feb
(nss-disable-expired-testcerts.patch) (bug-834091.patch; bmo#834091)
Wolfgang Rosenauer
2013-04-03 07:43:24 +00:00
1400caed25
* MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage
Wolfgang Rosenauer
2013-04-02 21:31:01 +00:00
15f7757c6e
- disable tests with expired certificates - add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements
Wolfgang Rosenauer
2013-04-02 20:29:32 +00:00
c5c5dba1e1
Accepting request 156925 from mozilla:Factory
Stephan Kulow
2013-03-01 09:52:35 +00:00
38168bf8bb
- update to 3.14.3 * No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) * "certutil -a" was not correctly producing ASCII output as requested. (bmo#840714) * NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch - add aarch64 support
Wolfgang Rosenauer
2013-02-28 22:53:05 +00:00
3ec4a7d061
Accepting request 147589 from mozilla:Factory
Stephan Kulow
2013-01-10 12:33:23 +00:00
99a81b336e
- updated CA database (nssckbi-1.93.patch) * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST
Wolfgang Rosenauer
2013-01-08 17:55:59 +00:00
e5e52b65d8
(bmo#825022, bnc#796628)
Wolfgang Rosenauer
2013-01-05 14:50:59 +00:00
Dominique Leuenberger
Wolfgang Rosenauer
Stephan Kulow
Ludwig Nussel
Ismail Dönmez