4.3.1 Release Notes

Release Date: 2009-12-02

Introduction

Network Security Services for Java (JSS) 4.3.1 is a minor release with the following new features:

  • Support for SSL3 & TLS Renegotiation Vulnerability
  • Support to explicitly set the key usage for the generated private key

JSS 4.3.1 is tri-licensed under MPL 1.1/GPL 2.0/LGPL 2.1.

New in JSS 4.3.1

 A list of bug fixes and enhancement requests were implemented in this release can be obtained by running this bugzilla query

JSS 4.3.1 requires NSS 3.12.5 or higher.

SSL3 & TLS Renegotiation Vulnerability

See CVE-2009-3555 and US-CERT VU#120541 for more information about this security vulnerability.

All SSL/TLS renegotiation is disabled by default in NSS 3.12.5 and therefore will be disabled by default with JSS 4.3.1. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF.

If an application depends on renegotiation feature, it can be enabled by setting the environment variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental variable, the fix provided by these patches will have no effect and the application may become vulnerable to the issue.

This default setting can also be changed within the application by using the following JSS methods:

  • SSLServerSocket.enableRenegotiation(int mode)
  • SSLSocket.enableRenegotiation(int mode)
  • SSLSocket.enableRenegotiationDefault(int mode)
The mode of renegotiation that the peer must use can be set to the following:
  • SSLSocket.SSL_RENEGOTIATE_NEVER - Never renegotiate at all. (Default)
  • SSLSocket.SSL_RENEGOTIATE_UNRESTRICTED - Renegotiate without
    restriction, whether or not the peer's client hello bears the
    renegotiation info extension (like we always did in the past).
  • SSLSocket.SSL_RENEGOTIATE_REQUIRES_XTN - NOT YET IMPLEMENTED

Explicitly set the key usage for the generated private key

 In PKCS #11, each keypair can be marked with the operations it will
 be used to perform. Some tokens require that a key be marked for
 an operation before the key can be used to perform that operation;
 other tokens don't care. NSS/JSS provides a way to specify a set of
 flags and a corresponding mask for these flags.

  • see generateECKeyPairWithOpFlags
  • see generateRSAKeyPairWithOpFlags
  • see generateDSAKeyPairWithOpFlags

Distribution Information

Documentation

Documentation for JSS 4.3.1 is available as follows:

Platform Information

  • You can check out the source from CVS by

    cvs co -r JSS_4_3_1_RTM JSS
  • JSS 4.3.1 works with JDK versions 4 or higher we suggest the latest.
  • JSS 4.3.1 requires NSS 3.12.5 or higher.
  • JSS 4.3.1 requires NSPR 4.7.1 or higher.
  • JSS only supports the native threading model (no green threads).

Known Bugs and Issues

  • For a list of reported bugs that have not yet been fixed, click here. Note that some bugs may have been fixed since JSS 4.3.1 was released. 

Compatibility

  • JSS 4.3.1 is backwards compatible with JSS 4.2. Applications compiled against JSS 4.2 will work with JSS 4.3.1.
  • The 4.3.1 version of libjss4.so/jss4.dll must only be used with jss4.jar. In general, a JSS JAR file must be used with the JSS shared library from the exact same release.
  • To obtain the version info from the jar file use, "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared library: strings libjss4.so | grep -i header  

Feedback

  • Bugs discovered should be reported by filing a bug report with bugzilla.
  • You can also give feedback directly to the developers on the Mozilla Cryptography forums...