The NSS team has released Network Security Services (NSS) 3.15, which is a minor release.
The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.
NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download:
New in NSS 3.15
- Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added, which includes:
- client and server side TLS protocol implementation
- helper type SECItemArray, which is used to hold a list of OCSP responses. The API has been designed to allow a future implementation of multi-stapling support.
- ssltap tool: can print CertificateStatus messages
- tstclnt and strsclnt tools: new options to request certificate status, and to fail based on status availability
- selfserv tool: new options to support testing of server-side certificate status responses
- Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete.
- Added functions PK11_Encrypt and PK11_Decrypt for performing single-part (one-shot) symmetric-key encryption and decryption operations. These functions are necessary for AES GCM.
- certutil tool: added support to create name constraints extensions
The following functions have been added to NSS 3.15
- SSL_PeerStapledOCSPResponse, used by a TLS client to query the certificate status response sent by a server
- SSL_SetStapledOCSPResponses, used by a TLS server to set the certificate status response
- CERT_PostOCSPRequest, primarily used for testing, exposes the raw sending and receiving of OCSP data
- SEC_PKCS7VerifyDetachedSignatureAtTime, a new function required by Firefox OS
- NSS has been migrated to use the Mercurial source control management system.
- As part of the source code repository migration, the source code directory layout has been reorganized.
- The list of root CA certificates has been updated.
- The default implementation of SSL_AuthCertificate has been updated. If certificate status information has been received from a TLS server, it will be added to the OCSP cache. Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel.
- Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour.
- Bug 853285: Fixed bugs in AES GCM.
- Bug 341127: Fix the invalid read in rc4_wordconv.
- Faster NIST curve P-256 implementation.
- Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced.
Bugs fixed in NSS 3.15
This Bugzilla query returns all the bugs fixed in NSS 3.15: