d55b02c72c
* Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines. New functions * CERT_ForcePostMethodForOCSP * CERT_GetSubjectNameDigest * CERT_GetSubjectPublicKeyDigest * SSL_PeerCertificateChain * SSL_RecommendedCanFalseStart * SSL_SetCanFalseStartCallback New types * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.
Wolfgang Rosenauer
2014-01-09 10:24:37 +00:00
186557c50a
* Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines. New functions * CERT_ForcePostMethodForOCSP * CERT_GetSubjectNameDigest * CERT_GetSubjectPublicKeyDigest * SSL_PeerCertificateChain * SSL_RecommendedCanFalseStart * SSL_SetCanFalseStartCallback New types * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.
Wolfgang Rosenauer
2014-01-09 10:24:37 +00:00
bdf63cb76e
- update to 3.15.4 * required for Firefox 27 * regular CA root store update (1.96) * some OSCP improvments * other bugfixes - removed obsolete char.patch
Wolfgang Rosenauer
2014-01-07 08:49:30 +00:00
58591dfdb2
- update to 3.15.4 * required for Firefox 27 * regular CA root store update (1.96) * some OSCP improvments * other bugfixes - removed obsolete char.patch
Wolfgang Rosenauer
2014-01-07 08:49:30 +00:00
df1ba0228c
Accepting request 210076 from mozilla:Factory
Stephan Kulow
2013-12-10 16:43:53 +00:00
a73555f5b8
Accepting request 210076 from mozilla:Factory
Stephan Kulow
2013-12-10 16:43:53 +00:00
700c409a77
- update to 3.15.3.1 (bnc#854367) * includes certstore update (1.95) (bmo#946351) (explicitely distrust AC DG Tresor SSL)
Wolfgang Rosenauer
2013-12-09 12:35:34 +00:00
09fb13cf21
- update to 3.15.3.1 (bnc#854367) * includes certstore update (1.95) (bmo#946351) (explicitely distrust AC DG Tresor SSL)
Wolfgang Rosenauer
2013-12-09 12:35:34 +00:00
4ceb44bc38
Accepting request 209434 from mozilla:Factory
Stephan Kulow
2013-12-07 06:46:23 +00:00
a24fc6f228
Accepting request 209434 from mozilla:Factory
Stephan Kulow
2013-12-07 06:46:23 +00:00
15d54c1f4e
Accepting request 209419 from openSUSE:Factory:PowerLE
Wolfgang Rosenauer
2013-12-04 17:44:48 +00:00
a86677e628
Accepting request 209419 from openSUSE:Factory:PowerLE
Wolfgang Rosenauer
2013-12-04 17:44:48 +00:00
fbcfc6c0ac
Accepting request 206762 from mozilla:Factory
Stephan Kulow
2013-11-20 09:48:47 +00:00
c284190dfc
Accepting request 206762 from mozilla:Factory
Stephan Kulow
2013-11-20 09:48:47 +00:00
de18d97a09
- update to 3.15.3 (bnc#850148) * fix CVE-2013-5605
Wolfgang Rosenauer
2013-11-12 20:37:56 +00:00
38ebd6f8e7
- update to 3.15.3 (bnc#850148) * fix CVE-2013-5605
Wolfgang Rosenauer
2013-11-12 20:37:56 +00:00
1d701a1c1b
- update to 3.15.3 * CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates, when the CERTVerifyLog log parameter is given (bmo#910438) * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello (bmo#919677)
Wolfgang Rosenauer
2013-11-11 22:19:45 +00:00
d14ddaa1f0
- update to 3.15.3 * CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates, when the CERTVerifyLog log parameter is given (bmo#910438) * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello (bmo#919677)
Wolfgang Rosenauer
2013-11-11 22:19:45 +00:00
acb5a1f027
Accepting request 201263 from mozilla:Factory
Stephan Kulow
2013-09-29 15:50:27 +00:00
7b55833f6c
Accepting request 201263 from mozilla:Factory
Stephan Kulow
2013-09-29 15:50:27 +00:00
067f9add2d
- update to 3.15.2 (bnc#842979)
Wolfgang Rosenauer
2013-09-28 08:24:06 +00:00
5e4a477e3f
- update to 3.15.2 (bnc#842979)
Wolfgang Rosenauer
2013-09-28 08:24:06 +00:00
cf8599cc0e
- version 3.15.2 * Support for AES-GCM ciphersuites that use the SHA-256 PRF * MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs * Add PK11_CipherFinal macro * sizeof() used incorrectly * nssutil_ReadSecmodDB() leaks memory * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. * Deprecate the SSL cipher policy code * Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739)
Wolfgang Rosenauer
2013-09-28 08:17:22 +00:00
5163190a91
- version 3.15.2 * Support for AES-GCM ciphersuites that use the SHA-256 PRF * MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs * Add PK11_CipherFinal macro * sizeof() used incorrectly * nssutil_ReadSecmodDB() leaks memory * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. * Deprecate the SSL cipher policy code * Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739)
Wolfgang Rosenauer
2013-09-28 08:17:22 +00:00
dc856ecc99
Accepting request 201249 from home:elvigia:branches:mozilla:Factory
Wolfgang Rosenauer
2013-09-28 08:13:46 +00:00
a2949dce64
Accepting request 201249 from home:elvigia:branches:mozilla:Factory
Wolfgang Rosenauer
2013-09-28 08:13:46 +00:00
984f9476b3
Accepting request 182306 from mozilla:Factory
Stephan Kulow
2013-07-05 18:37:37 +00:00
cd0c020b2e
Accepting request 182306 from mozilla:Factory
Stephan Kulow
2013-07-05 18:37:37 +00:00
38ee6dfd36
Accepting request 182277 from home:lnussel:branches:Base:System
Wolfgang Rosenauer
2013-07-05 12:48:09 +00:00
7dddfd6c24
Accepting request 182277 from home:lnussel:branches:Base:System
Wolfgang Rosenauer
2013-07-05 12:48:09 +00:00
5188d74565
Accepting request 181869 from mozilla:Factory
Stephan Kulow
2013-07-04 08:11:56 +00:00
e071638690
Accepting request 181869 from mozilla:Factory
Stephan Kulow
2013-07-04 08:11:56 +00:00
50955e7e97
rebase patch
Wolfgang Rosenauer
2013-07-03 12:27:52 +00:00
997d66ac8e
rebase patch
Wolfgang Rosenauer
2013-07-03 12:27:52 +00:00
febd37237a
- update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements
Wolfgang Rosenauer
2013-07-03 12:00:07 +00:00
1256cc6819
- update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements
Wolfgang Rosenauer
2013-07-03 12:00:07 +00:00
8c18216fc4
Accepting request 181778 from home:lnussel:branches:Base:System
Wolfgang Rosenauer
2013-07-03 10:36:27 +00:00
80c4a0174f
Accepting request 181778 from home:lnussel:branches:Base:System
Wolfgang Rosenauer
2013-07-03 10:36:27 +00:00
2327bba08a
Accepting request 178606 from mozilla:Factory
Stephan Kulow
2013-06-14 14:46:40 +00:00
4089d6b89b
Accepting request 178606 from mozilla:Factory
Stephan Kulow
2013-06-14 14:46:40 +00:00
68c257da8e
- update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time.
Wolfgang Rosenauer
2013-06-11 15:41:13 +00:00
506ad33ba3
- update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time.
Wolfgang Rosenauer
2013-06-11 15:41:13 +00:00
d082e6733c
Accepting request 173001 from mozilla:Factory
Stephan Kulow
2013-04-24 08:47:42 +00:00
9fbe48bbad
Accepting request 173001 from mozilla:Factory
Stephan Kulow
2013-04-24 08:47:42 +00:00
d9b17089be
Accepting request 171078 from home:namtrac:bugfix
Wolfgang Rosenauer
2013-04-16 11:16:38 +00:00
ddbab3a3b8
Accepting request 171078 from home:namtrac:bugfix
Wolfgang Rosenauer
2013-04-16 11:16:38 +00:00
b3ca3f8b30
Accepting request 162347 from mozilla:Factory
Stephan Kulow
2013-04-05 07:29:13 +00:00
35724cb521
Accepting request 162347 from mozilla:Factory
Stephan Kulow
2013-04-05 07:29:13 +00:00
decd0449c4
(nss-disable-expired-testcerts.patch) (bug-834091.patch; bmo#834091)
Wolfgang Rosenauer
2013-04-03 07:43:24 +00:00
a1f8432feb
(nss-disable-expired-testcerts.patch) (bug-834091.patch; bmo#834091)
Wolfgang Rosenauer
2013-04-03 07:43:24 +00:00
2843a9e569
* MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage
Wolfgang Rosenauer
2013-04-02 21:31:01 +00:00
1400caed25
* MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage
Wolfgang Rosenauer
2013-04-02 21:31:01 +00:00
3f1abb24a5
- disable tests with expired certificates - add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements
Wolfgang Rosenauer
2013-04-02 20:29:32 +00:00
15f7757c6e
- disable tests with expired certificates - add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements
Wolfgang Rosenauer
2013-04-02 20:29:32 +00:00
6abe0100b2
Accepting request 156925 from mozilla:Factory
Stephan Kulow
2013-03-01 09:52:35 +00:00
c5c5dba1e1
Accepting request 156925 from mozilla:Factory
Stephan Kulow
2013-03-01 09:52:35 +00:00
0c76898e5d
- update to 3.14.3 * No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) * "certutil -a" was not correctly producing ASCII output as requested. (bmo#840714) * NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch - add aarch64 support
Wolfgang Rosenauer
2013-02-28 22:53:05 +00:00
38168bf8bb
- update to 3.14.3 * No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) * "certutil -a" was not correctly producing ASCII output as requested. (bmo#840714) * NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch - add aarch64 support
Wolfgang Rosenauer
2013-02-28 22:53:05 +00:00
f520a374c9
Accepting request 147589 from mozilla:Factory
Stephan Kulow
2013-01-10 12:33:23 +00:00
3ec4a7d061
Accepting request 147589 from mozilla:Factory
Stephan Kulow
2013-01-10 12:33:23 +00:00
2111bb58f3
- updated CA database (nssckbi-1.93.patch) * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST
Wolfgang Rosenauer
2013-01-08 17:55:59 +00:00
99a81b336e
- updated CA database (nssckbi-1.93.patch) * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST
Wolfgang Rosenauer
2013-01-08 17:55:59 +00:00
1559d15884
(bmo#825022, bnc#796628)
Wolfgang Rosenauer
2013-01-05 14:50:59 +00:00
e5e52b65d8
(bmo#825022, bnc#796628)
Wolfgang Rosenauer
2013-01-05 14:50:59 +00:00
c2393f18b1
- update to 3.14.1 RTM * minimal requirement for Gecko 20 * several bugfixes
Wolfgang Rosenauer
2012-12-18 13:54:06 +00:00
9cd1b1b874
- update to 3.14.1 RTM * minimal requirement for Gecko 20 * several bugfixes
Wolfgang Rosenauer
2012-12-18 13:54:06 +00:00
a0772781ad
Accepting request 139298 from mozilla:Factory
Stephan Kulow
2012-10-26 15:26:31 +00:00
ba6f4f590a
Accepting request 139298 from mozilla:Factory
Stephan Kulow
2012-10-26 15:26:31 +00:00
450d9e2858
- update to 3.14 RTM * Support for TLS 1.1 (RFC 4346) * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) * Support for AES-CTR, AES-CTS, and AES-GCM * Support for Keying Material Exporters for TLS (RFC 5705) * Support for certificate signatures using the MD5 hash algorithm is now disabled by default * The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code. * Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default - disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch)
Wolfgang Rosenauer
2012-10-25 14:10:44 +00:00
eb3cdf4581
- update to 3.14 RTM * Support for TLS 1.1 (RFC 4346) * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) * Support for AES-CTR, AES-CTS, and AES-GCM * Support for Keying Material Exporters for TLS (RFC 5705) * Support for certificate signatures using the MD5 hash algorithm is now disabled by default * The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code. * Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default - disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch)
Wolfgang Rosenauer
2012-10-25 14:10:44 +00:00
Stephan Kulow
Wolfgang Rosenauer
Ismail Dönmez