[ANNOUNCE] NSS 3.19.4 Release

The NSS Development Team announces the release of NSS 3.19.4 Network Security Services (NSS) 3.19.4 is a patch release for NSS 3.19 to fix security-relevant bugs. No new functionality is introduced in this release. The following security-relevant bugs have been resolved in NSS 3.19.4. Users are

[ANNOUNCE] NSS 3.21 Release

The NSS team has released Network Security Services (NSS) 3.21, which is a minor release. New functionality: * certutil now supports a --rename option to change a nickname (bug 1142209) * TLS extended master secret extension (RFC 7627) is supported (bug 1117022) * New info functions added for use

[ANNOUNCE] NSS 3.19.2.2 Release

The NSS Development Team announces the release of NSS 3.19.2.2 Network Security Services (NSS) 3.19.2.2 is a patch release for NSS 3.19.2 to fix a security-relevant bug. No new functionality is introduced in this release. The following security-relevant bug has been resolved in NSS 3.19.2.2. Us

[ANNOUNCE] NSS 3.20.2 Release

The NSS Development Team announces the release of NSS 3.20.2 Network Security Services (NSS) 3.20.2 is a patch release for NSS 3.20 to fix a security-relevant bug. No new functionality is introduced in this release. The following security-relevant bug has been resolved in NSS 3.20.2. Users are e

[ANNOUNCE] NSS 3.22 Release

The NSS team has released Network Security Services (NSS) 3.22, which is a minor release. New functionality: * RSA-PSS signatures are now supported (bug 1215295) * Pseudorandom functions based on hashes other than SHA-1 are now supported * Enforce an External Policy on NSS from a config file (bug

Re: Is there a tool in NSS to validate a website certificate set?

On Tue, 2016-02-09 at 22:51 +1000, Jonathan Wilson wrote: > OpenSSL has a s_client command that allows you to pull the certificates a  > web page sends and verify the chain of trust against whatever root CA store  > OpenSSL is using. Is there a way to do something similar for NSS? i.e. pull  > the

Re: Why SSL_ENABLE_SERVER_DHE?

On Fri, 2016-02-12 at 13:52 -0500, Rob Crittenden wrote: > Is there a reason that SSL_ENABLE_SERVER_DHE exists? Why not simply not > enable any DH ciphers? > > I ask because I'm looking to add some DH support and want to know how > bad an idea it is to always enable this. I can't think of a downsi

[ANNOUNCE] NSS 3.22.1 Release

The NSS Development Team announces the release of NSS 3.22.1 No new functionality is introduced in this release. Notable Changes: * NSS has been changed to use the PR_GetEnvSecure function that   was made available in NSPR 4.12 The full release notes are available at https://developer.mozilla.or

Re: server-side OCSP stapling

On Tue, 2016-03-01 at 17:19 -0800, Robert Relyea wrote: > IIRC the API to fetch the ocsp response is mostly application code. NSS  > has a simple http request function that can fetch the request if the  > application doesn't supply one (which doesn't know about proxies, etc.).  > You could override

[ANNOUNCE] NSS 3.19.2.3 Release

The NSS Development Team announces the release of NSS 3.19.2.3, which is a security patch release for NSS 3.19.2. (Current users of NSS 3.19.3, NSS 3.19.4 or NSS 3.20.x are advised to update to NSS 3.21.1, NSS 3.22.2, or a later release.) No new functionality is introduced in this release. The f

[ANNOUNCE] NSS 3.21.1 Release

The NSS Development Team announces the release of NSS 3.21.1, which is a security patch release for NSS 3.21. No new functionality is introduced in this release. The following security-relevant bug has been resolved in NSS 3.21.1.  Users are encouraged to upgrade immediately. * Bug 1245528 (CVE-

[ANNOUNCE] NSS 3.23 Release

The NSS team has released Network Security Services (NSS) 3.23, which is a minor release. The following security-relevant bug has been resolved in NSS 3.23.  Users are encouraged to upgrade immediately. * Bug 1245528 (CVE-2016-1950):   Fixed a heap-based buffer overflow related to the parsing of

[ANNOUNCE] NSS 3.22.2 Release

The NSS Development Team announces the release of NSS 3.22.2, which is a security patch release for NSS 3.22. No new functionality is introduced in this release. The following security-relevant bug has been resolved in NSS 3.22.2.  Users are encouraged to upgrade immediately. * Bug 1245528 (CVE-

[ANNOUNCE] NSS 3.22.3 Release

The NSS Development Team announces the release of NSS 3.22.3, which is a patch release for NSS 3.22. No new functionality is introduced in this release. The following bugs have been resolved in NSS 3.22.3 * Bug 1243641 - Increase compatibility of TLS extended master secret,   don't send an empty

[ANNOUNCE] NSS 3.19.2.4 Release

The NSS Development Team announces the release of NSS 3.19.2.4, which is a security patch release for NSS 3.19.2. (Current users of NSS 3.19.3, NSS 3.19.4 or NSS 3.20.x are advised to update to NSS 3.21.1, NSS 3.22.2, or a later release.) No new functionality is introduced in this release. The f

[ANNOUNCE] NSS 3.24 Release

The NSS team has released Network Security Services (NSS) 3.24, which is  a minor release. Below is a short summary of the changes. Please refer to the full release notes for additional details. New functionality: * NSS softoken has been updated with the latest NIST guidance (as of 2015) * NSS so

[ANNOUNCE] NSS 3.25 Release

The NSS team has released Network Security Services (NSS) 3.25, which is a minor release. Below is a short summary of the changes. Please refer to the full release notes for additional details. New functionality: * Implemented DHE key agreement for TLS 1.3 * Added support for ChaCha with TLS 1.3

[ANNOUNCE] NSS 3.26 Release

The NSS team has released Network Security Services (NSS) 3.26, which is a minor release. Below is a short summary of the changes. Please refer to the full release notes for additional details. New functionality: * the selfserv test utility has been enhanced to support ALPN (HTTP/1.1)    and 0-RT

[ANNOUNCE] NSS 3.27 Release

The NSS team has released Network Security Services (NSS) 3.27, which is a minor release. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. New functionality: * Allow custom named gro

Re: [ANNOUNCE] NSS 3.27 Release

On Wed, 2016-09-28 at 14:39 +0200, Kai Engert wrote: > The NSS team has released Network Security Services (NSS) 3.27, > which is a minor release. > ... > The full release notes are available at > https://developer.mozilla.org/en- > US/docs/Mozilla/Projects/NSS/NSS

Re: [ANNOUNCE] NSS 3.27 Release

On Sun, 2016-10-02 at 01:48 +0200, Kai Engert wrote: > The maximum TLS version enabled by default has been increased to TLS 1.3 I have been corrected. The maximum TLS version enabled by default is still TLS 1.2. However, there are applications that query the list of TLS protocol versi

Re: [ANNOUNCE] NSS 3.27 Release

On Sun, 2016-10-02 at 08:30 +0200, Florian Weimer wrote: > Is there a compile-time switch to disable the draft protocol > implementation completely? Yes, define NSS_DISABLE_TLS_1_3=1 at build time. Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/l

[ANNOUNCE] NSS 3.27.1 Release

The NSS team has released Network Security Services (NSS) 3.27.1. This is a patch release to address a TLS compatibility issue  that some applications experienced with NSS 3.27. Notable Changes: Availability of the TLS 1.3 (draft) implementation has been re-disabled in the default build. Previou

Re: NSS and NSPR compilation error: ssl3con.c:36:18: fatal error: zlib.h: No such file

On Thu, 2016-10-20 at 10:13 +, Ding Yangliang wrote: > ssl3con.c:36:18: fatal error: zlib.h: no such file or directory zlib.h is a file that should be provided by your development environment. I don't know what package on Ubuntu provides that file, but I'm guessing the name should be similar

[ANNOUNCE] NSS 3.28 Release

The NSS team has released Network Security Services (NSS) 3.28, which is a minor release. Below is a summary of the changes. Please refer to the full release notes for additional details: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes Request to test and pr

[ANNOUNCE] NSS 3.28.1 Release

The NSS team has released Network Security Services (NSS) 3.28.1, which is a patch release. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. No new functionality is introduced in thi

NSS 3.28 and Mozilla code version 50 or older, HTTP/2 failures

HTTP/2 code in Firefox versions between 32 and 50 (inclusive), contains a bug which enforces an incorrect minimum key size for ECDH of 256 bits.  This bug is fixed in Firefox 51 (see ). NSS 3.28 introduces a new ECDH key exchange with a key siz

[ANNOUNCE] NSS 3.29.1 Release

The NSS team has released Network Security Services (NSS) 3.29.1 No new functionality is introduced in this release. This is a patch release to fix binary compatibility issues. NSS version 3.28, 3.28.1, 3.28.2 and 3.29 contained changes that were in violation with the NSS compatibility promise.

[ANNOUNCE] NSS 3.28.3 Release

The NSS team has released Network Security Services (NSS) 3.28.3 No new functionality is introduced in this release. This is a patch release to fix binary compatibility issues. NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were in violation with the NSS compatibility promise. ECPara

Re: How can i list Builtin Root ACs ?

On Tue, 2017-02-21 at 06:40 -0800, Abdelhak Brrem wrote: > Does anyone knows how to list the builtin root ACs stored in the nssckbi.dll > file ?. If you're asking about certutil, you can use the "-h all" parameter to list certificates from all tokens. But by default certutil doesn't load nssckbi.

[ANNOUNCE] NSS 3.21.4 and 3.28.4 and 3.29.5 and 3.30.1 Releases

The NSS Development Team announces multiple security patch releases: * NSS 3.21.4 for NSS 3.21 * NSS 3.28.4 for NSS 3.28 * NSS 3.29.5 for NSS 3.29 * NSS 3.30.1 for NSS 3.30 No new functionality is introduced in these releases. The following security fixes are included. Users are encouraged to up

[ANNOUNCE] NSS 3.30.2 Release

The NSS team has released Network Security Services (NSS) 3.30.2, which is a patch release to update the list of root CA certificates. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates.

[ANNOUNCE] NSS 3.28.5 Release

The NSS team has released Network Security Services (NSS) 3.28.5, which is a patch release to update the list of root CA certificates. These are backported changes, which are equivalent to the changes that have been recently released with NSS 3.30.2. Below is a summary of the changes. Please refe

[ANNOUNCE] NSS 3.31 Release

The NSS team has released Network Security Services (NSS) 3.31, which is a minor release. Below is a summary of the changes. Please refer to the full release notes for additional details: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.31_release_notes New functionality:

Can we deprecate NSS signtool?

The NSS utility "signtool" is hardcoded to use SHA1 when creating a digital signature. As I've described in this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1345528 it might be complicated to change the default to a more secure hash algorithm in a compatible way. I wonder who still depend

[ANNOUNCE] NSS 3.32 Release

The NSS team has released Network Security Services (NSS) 3.32, which is a minor release. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. https://developer.mozilla.org/en-US/docs/Mo

Re: JSS Version 4.4

Apparently nobody had created/uploaded a release archive for that new version. You could obtain it by using the HG (mercurial) software, and by using the release tag. The release notes page you mention refers to tag JSS_4_4_20170313. I see there are also some newer tags in the JSS code repository,

Re: Linker error from tstclnt

On 10.11.2017 10:16, muni.pra...@gmail.com wrote: >> USE_STATIC_RTL=1 I haven't seen this symbol before, maybe it's no longer supported. Does it work if you don't define it? Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

[ANNOUNCE] NSS 3.34.1 Release

The NSS team has released Network Security Services (NSS) 3.34.1, which is a patch release to update the list of root CA certificates. The full release notes are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.34.1_release_notes The HG tag is NSS_3_34_1_RTM. NSS 3

[ANNOUNCE] NSS 3.35 Release

The NSS team has released Network Security Services (NSS) 3.35, which is a minor release. Summary of the major changes included in this release: - The default database storage format has been changed to SQL, using filenames cert9.db, key4.db, pkcs11.txt. - TLS 1.3 support has been updated to dra

[ANNOUNCE] NSS 3.36 Release

The NSS team has released Network Security Services (NSS) 3.36, which is a minor release. Summary of the major changes included in this release: - Replaced existing vectorized ChaCha20 code with verified HACL* implementation. - Experimental APIs for TLS session cache handling. The release also

[ANNOUNCE] NSS 3.36.1 Release

The NSS team has released Network Security Services (NSS) 3.36.1, which is a patch release fix regression bugs. The full release notes are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.1_release_notes The HG tag is NSS_3_36_1_RTM. NSS 3.36.1 requires NSPR 4.1

[ANNOUNCE] NSS 3.37 Release

The NSS team has released Network Security Services (NSS) 3.37, which is a minor release. Notable changes: * The TLS 1.3 implementation was updated to Draft 28. * An issue where NSS erroneously accepted HRR requests was resolved. * Added HACL* Poly1305 32-bit * The code to support the NPN protocol

Re: [ANNOUNCE] NSS 3.37 Release

On 14.05.2018 11:11, Kurt Roeckx wrote: > On 2018-05-08 22:49, Kai Engert wrote: >> Notable changes: >> * The TLS 1.3 implementation was updated to Draft 28. > > I find it unfortunate that you update the draft version to 28 and did > not keep it at 26 like some other im

Re: [ANNOUNCE] NSS 3.37 Release

On 14.05.2018 13:24, Kai Engert wrote: > On 14.05.2018 11:11, Kurt Roeckx wrote: >> On 2018-05-08 22:49, Kai Engert wrote: >>> Notable changes: >>> * The TLS 1.3 implementation was updated to Draft 28. >> >> I find it unfortunate that you update the draft ver

[ANNOUNCE] NSS 3.36.5 Release

The NSS team has released Network Security Services (NSS) 3.36.5, which is a patch release for NSS 3.36. It fixes the following bug: * Bug 1483128 - NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) The full release notes are availa

[ANNOUNCE] NSS 3.39 Release

The NSS team has released Network Security Services (NSS) 3.39, which is a minor release. Notable bug fixes: * Bug 1483128 - NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) New functionality: * The tstclnt and selfserv utilities a

S/MIME X509 certificate requirements for Thunderbird 60.x

On 22.11.18 17:38, mbch...@gmail.com wrote: > Now, I want to import a certificate, originally created by our company PKI as > SSL-Client certificate for use with Cisco Anyconnect VPN clients. > > I realized that it differs in its DN format, misses explicit mail > sing/encryption flags and has ad

Re: S/MIME X509 certificate requirements for Thunderbird 60.x

On 23.11.18 12:58, Martin Büchler wrote: > That is exactly what I am looking for: Where are the certificate requirements > specified other than in TB source code? I then would like to instruct our PKI > to add/change missing extensions, fields, or anticipated X500 name formats. I agree it would

Re: Debug info on NSS tools

Does this page help? You might need a debug build (i.e. build yourself with debugging enabled). https://wiki.mozilla.org/NSS:Tracing Kai On 03.01.19 13:51, John Jiang wrote: > Just tried it, but looked not work. > > $ export SSLDEBUG=1 > $ export SSLTRACE=127 > $ tstclnt -v ... > I didn't get m

[ANNOUNCE] NSS 3.41.1 Release

The NSS team has released Network Security Services (NSS) 3.41.1, which is a patch release for NSS 3.41. It fixes the following bugs: * Bug 1507135 and Bug 1507174 - Add additional null checks to several CMS functions to fix a rare CMS crash. The full release notes are available at https://deve

Re: DarkMatter CA

On 20.02.19 21:36, Leonardo Porpora via dev-tech-crypto wrote: > I have read about the possibility that you add the DarkMatters's CA in > Firefox, I really hope that it will not happen as it will write the end of > privacy and humans rights. I don't know if this is the right email to write > to

<    1   2   3