[blfs-book] [BLFS Trac] #6839: nss-3.20

Thu, 20 Aug 2015 04:16:53 -0700 

#6839: nss-3.20
-------------------------+-------------------------
 Reporter:  fo           |      Owner:  blfs-book@…
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  7.8
Component:  BOOK         |    Version:  SVN
 Severity:  normal       |   Keywords:
-------------------------+-------------------------
 
[https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/nss-3.20.tar.gz]

 
[https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/SHA256SUMS]

 5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c

 [https://developer.mozilla.org/en-
 US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes]

 {{{
 NSS 3.20 release notes
 by 2 contributors:

     kaie m_t

 == Introduction ==

 The NSS team has released Network Security Services (NSS) 3.20, which is
 a minor release.

 == Distribution Information ==

 The HG tag is NSS_3_20_RTM. NSS 3.20 requires NSPR 4.10.8 or newer.

 == New in NSS 3.20 ==

 New Functionality

    • The TLS library has been extended to support DHE ciphersuites in
      server applications.

 New Functions

    • in ssl.h
        ◦ SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE
          group parameters that can be used by NSS for a server socket.
        ◦ SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group
          parameters that are smaller than the library default's minimum
          size.

 New Types

    • in sslt.h
        ◦ SSLDHEGroupType - Enumerates the set of DHE parameters embedded
          in NSS that can be used with function SSL_DHEGroupPrefSet

 New Macros

    • in ssl.h
        ◦ SSL_ENABLE_SERVER_DHE - A socket option user to enable or
          disable DHE ciphersuites for a server socket

 == Notable Changes in NSS 3.20 ==

    • The TLS library has been extended to support DHE ciphersuites in
      server applications.
    • For backwards compatibility reasons, the server side implementation
      of the TLS library keeps all DHE ciphersuites disabled by default.
      They can be enabled with the new socket option
      SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the
      SSL_OptionSetDefault API.
    • The server side implementation of the TLS implementation does not
      support session tickets when using a DHE ciphersuite (see bug
      1174677).
    • Support for the following ciphersuites has been added:
        ◦ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
        ◦ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
        ◦ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    • By default, the server side TLS implementation will use DHE
      parameters with a size of 2048 bits when using DHE ciphersuites.
    • NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and
      8192 bits, which were copied from version 08 of the Internet-Draft
      "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
      TLS", Appendix A.
    • A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a
      server application to select one or multiple of the embedded DHE
      parameters as the preferred parameters. The current implementation
      of NSS will always use the first entry in the array that is passed
      as a parameter to the SSL_DHEGroupPrefSet API. In future versions
      of the TLS implementation, a TLS client might signal a preference
      for certain DHE parameters, and the NSS TLS server side
      implementation might select a matching entry from the set of
      parameters that have been configured as preferred on the server
      side.
    • NSS optionally supports the use of weak DHE parameters with DHE
      ciphersuites to support legacy clients. In order to enable this
      support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each
      time this API is called for the first time in a process, a fresh
      set of weak DHE parameters will be randomly created, which may take
      a long amount of time. Please refer to the comments in the header
      file that declares the SSL_EnableWeakDHEPrimeGroup API for
      additional details.
    • The size of the default PQG parameters used by certutil when
      creating DSA keys has been increased to use 2048 bit parameters.
    • The selfserv utility has been enhanced to support the new DHE
      features.
    • NSS no longer supports C compilers that predate the ANSI C standard
      (C89).

 == Bugs fixed in NSS 3.20 ==

 This Bugzilla query returns all the bugs fixed in NSS 3.20:

 
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.20

 == Compatibility ==

 NSS 3.20 shared libraries are backward compatible with all older NSS 3.x
 shared libraries. A program linked with older NSS 3.x shared libraries
 will work with NSS 3.20 shared libraries without recompiling or
 relinking. Furthermore, applications that restrict their use of NSS APIs
 to the functions listed in NSS Public Functions will remain compatible
 with future versions of the NSS shared libraries.
 }}}

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/6839>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to