If you maintain the NSS package in an OS distribution, please read this announcement.
NSS 3.13.2 has a regression when we removed the support for Netscape international step-up certificates. The bug report for this regression is NSS bug 737802 (https://bugzilla.mozilla.org/show_bug.cgi?id=737802). This bug affects the CERT_PKIXVerifyCert function, which is based on libpkix. The "classic" NSS certificate verification functions, such as CERT_VerifyCert and CERT_VerifyCertificate, are not affected unless they have been configured to use libpkix internally by using either the NSS_ENABLE_PKIX_VERIFY environment variable or the CERT_SetUsePKIXForValidation function. I will make an NSS 3.13.4 release soon to fix this regression. In the meantime, you can apply the patch in NSS bug 737802 to the NSS source tree. The URL for the patch is https://bug737802.bugzilla.mozilla.org/attachment.cgi?id=608587 Thanks to Rob Stradling of Comodo for reporting the bug and providing a patch. Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto