Re: NSS 3.12.* maintanence after the NSS 3.13 release?
There is one known regression. Also, the BEAST workaround is an incompatible change for some applications. Otherwise, I expect it to be drop-in compatible. - Brian - Original Message - From: Julien Pierre julien.pie...@oracle.com To: Brian Smith bsm...@mozilla.com Cc: mozilla's crypto code discussion list dev-tech-crypto@lists.mozilla.org Sent: Monday, October 17, 2011 6:02:35 PM Subject: Re: NSS 3.12.* maintanence after the NSS 3.13 release? Brian, On 10/17/2011 15:55, Brian Smith wrote: NSS release announcements are made on the Mozilla dev-tech-crypto mailing list: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/28c9fd2d65f7bd55# Thanks, I wasn't on the list then. It looks like there is one binary incompatible change, SSL 2.0 disabled by default. I'm not sure yet if this will be a problem. Other than this change, do we expect this release to be a binary compatible drop-in replacement for 3.12.x ? Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS 3.12.* maintanence after the NSS 3.13 release?
I just emailed the mailing list about it: bug 693228. It is a crashing bug in NSS_Init. - Original Message - From: Julien Pierre julien.pie...@oracle.com To: Brian Smith bsm...@mozilla.com Cc: mozilla's crypto code discussion list dev-tech-crypto@lists.mozilla.org Sent: Tuesday, October 18, 2011 2:55:11 PM Subject: Re: NSS 3.12.* maintanence after the NSS 3.13 release? Brian, On 10/18/2011 14:42, Brian Smith wrote: There is one known regression. Do you mean one separate from the SSL 2.0 change, and BEAST ? If so, which one ? Also, the BEAST workaround is an incompatible change for some applications. From what I have read of the BEAST workaround discussion, it breaks certain older existing SSL servers, notably some of Oracle's servers (not NSS based servers). But this only affects client code. The reverse BEAST code change is is on the server side too. Do we know that it breaks any old browsers ? I'm more concerned about server side. My understanding is that the BEAST workaround doesn't really help a server app. It is the client that really needs to be patched for the specific exploit. The server cannot really prevent the exploit with an SSL/TLS stack fix. The server-side code change would help only if someone create a theoretical reverse BEAST type of exploit. Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS 3.12.* maintanence after the NSS 3.13 release?
Brian, On 10/18/2011 14:42, Brian Smith wrote: There is one known regression. Do you mean one separate from the SSL 2.0 change, and BEAST ? If so, which one ? Also, the BEAST workaround is an incompatible change for some applications. From what I have read of the BEAST workaround discussion, it breaks certain older existing SSL servers, notably some of Oracle's servers (not NSS based servers). But this only affects client code. The reverse BEAST code change is is on the server side too. Do we know that it breaks any old browsers ? I'm more concerned about server side. My understanding is that the BEAST workaround doesn't really help a server app. It is the client that really needs to be patched for the specific exploit. The server cannot really prevent the exploit with an SSL/TLS stack fix. The server-side code change would help only if someone create a theoretical reverse BEAST type of exploit. Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS 3.12.* maintanence after the NSS 3.13 release?
Brian, On 10/17/2011 15:55, Brian Smith wrote: NSS release announcements are made on the Mozilla dev-tech-crypto mailing list: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/28c9fd2d65f7bd55# Thanks, I wasn't on the list then. It looks like there is one binary incompatible change, SSL 2.0 disabled by default. I'm not sure yet if this will be a problem. Other than this change, do we expect this release to be a binary compatible drop-in replacement for 3.12.x ? Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS 3.12.* maintanence after the NSS 3.13 release?
Brian, Thanks for adding me to this list. I had not heard that NSS 3.13 had shipped. What does this release include ? I don't see any release notes beyond 3.12.6 at http://www.mozilla.org/projects/security/pki/nss/release_notes.html . Julien On 10/17/2011 14:28, Brian Smith wrote: Are we going to stop maintaining NSS 3.12 after the 3.13 release? People have asked if we were going to backport bug 665814 to 3.12, specifically. My understanding is that Bob proposed that the 3.13 release will mark the end of 3.12 maintenance. This is why we (Mozilla) upgraded to 3.13 instead of a 3.12.* release. Thanks, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS 3.12.* maintanence after the NSS 3.13 release?
NSS release announcements are made on the Mozilla dev-tech-crypto mailing list: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/28c9fd2d65f7bd55# - Brian - Original Message - From: Julien Pierre julien.pie...@oracle.com To: Brian Smith bsm...@mozilla.com Cc: mozilla's crypto code discussion list dev-tech-crypto@lists.mozilla.org Sent: Monday, October 17, 2011 3:34:40 PM Subject: Re: NSS 3.12.* maintanence after the NSS 3.13 release? Brian, Thanks for adding me to this list. I had not heard that NSS 3.13 had shipped. What does this release include ? I don't see any release notes beyond 3.12.6 at http://www.mozilla.org/projects/security/pki/nss/release_notes.html . Julien On 10/17/2011 14:28, Brian Smith wrote: Are we going to stop maintaining NSS 3.12 after the 3.13 release? People have asked if we were going to backport bug 665814 to 3.12, specifically. My understanding is that Bob proposed that the 3.13 release will mark the end of 3.12 maintenance. This is why we (Mozilla) upgraded to 3.13 instead of a 3.12.* release. Thanks, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto