You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



NSS 3.3 Release Notes

26 July 2001

Newsgroup: mozilla.dev.tech.crypto


Contents


Introduction

Network Security Services (NSS) 3.3 is an interim release in response to customers' strong request that the NSS/JSS integration feature be made available sooner.  Therefore, NSS 3.3 only includes some of the features and bug fixes targeted in the NSS 3.3 Plan.  What we originally planned as NSS 3.3 will be called NSS 3.4 (its project plan will be updated and published shortly).

The NSS/JSS integration feature enables JSS (a Java interface to NSS) to link with NSS shared libraries.  (JSS 3.1 or newer is required.)  This allows NSS and JSS to coexist safely in the same process.  For example, Java servlets running on a web server using NSS 3.3 (such as iPlanet Web Server 6.0 Service Pack 1) will be able to use JSS 3.1.

In addition, NSS 3.3 has the following new features:

  • DHE cipher suites for SSL (client side only).
  • New public symbols have been exported, including SECMOD_AddNewModule(), CERT_CheckCertUsage(), CERT_FindCertIssuer(), and a few more accessor functions.
  • NSS 3.3 is dual-licensed under the MPL and the GPL.


    Distribution Information

    The CVS tag for the NSS 3.3 release is NSS_3_3_RTM.

    NSS 3.3 source and binary distributions are also available on ftp.mozilla.org for anonymous ftp download:

    You also need to download the NSPR 4.1.2 binary distributions to get the NSPR 4.1.2 header files and shared libraries, which NSS 3.3 requires. NSPR 4.1.2 binary distributions are in ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.1.2/.


    Bugs Fixed

    For a list of all bugs that have been fixed in the NSS 3.3 release, click here.


    Documentation

    For a list of the primary NSS documentation pages on mozilla.org, see NSS Documentation. New and revised documents available since the release of NSS 3.2 include the following: Source may be viewed with a browser (via the LXR tool) at http://lxr.mozilla.org/mozilla/source/security/nss/

    The following tools are supported in this release:

      certutil
      cmsutil
      modutil
      pk12util
      signtool
      signver
      ssltap
    For documentation and other information about these tools, see NSS Tools.


    Changes Since NSS 3.2.1

    For a list of changes introduced in NSS 3.2.1, see NSS 3.2.1 Release Notes.

    The sections that follow discuss specific changes since NSS 3.2.1 in more detail.

    NSS/JSS integration

    NSS/JSS integration is what motivated the NSS 3.3 release.

    The upcoming JSS 3.1 release will be linked with the NSS 3.3 shared libraries.  Because JSS used many private NSS functions that were not exported by the NSS shared libraries, JSS had to link with NSS static libraries.  Therefore, it was unsafe for an application to use both NSS and JSS because there would be two copies of NSS in the same process.  This problem is fixed in NSS 3.3 and JSS 3.1.  An application of this enhancement is that Java servlets running on a web server (for example, iPlanet Web Server Service Pack 1) using NSS 3.3 can use JSS 3.1.

    New NSS public functions

    The new public functions exported by NSS 3.3 are described here.
  • CERT_CheckCertUsage: return SECSuccess if the certificate is considered valid for the given usage (declared in cert.h).
  • CERT_FindCertIssuer: return the CA certificate that issued the given certificate (declared in cert.h).
  • PK11_GetModule: return the PKCS #11 module that supports the PKCS #11 device slot (declared in pk11func.h).
  • SECKEY_CreateDHPrivateKey: create a new private/public key pair for Diffie-Hellman (declared in keyhi.h).
  • SECKEY_GetPublicKeyType: return the type of the specified public key, that is, the asymmetric algorithm it is made for (declared in keyhi.h).
  • SECMOD_AddNewModule: load a new PKCS #11 module into the address space and add it to the secmod.db (declared in secmod.h).
  • Additional SSL/TLS cipher suites supported

    In NSS 3.3, the cipher suites known formally as SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, and TLS_DHE_DSS_WITH_RC4_128_SHA are now supported on the client side. To ensure that older programs do not use these new cipher suites inadvertently, these new cipher suites are NOT enabled by default.

    To use these new cipher suites, an application must enable them explicitly by a call to SSL_CipherPrefSetDefault or SSL_CipherPrefSet. The new cipher suites are properly handled by the policy functions NSS_SetDomesticPolicy, NSS_SetExportPolicy, and NSS_SetFrancePolicy. Applications that call SSL_CipherPolicySet instead of one of these three policy functions must also call SSL_CipherPolicySet for these new cipher suites if they wish to use these new cipher suites.

    The implementation of these DHE cipher suites was contributed by Dr. Stephen Henson.


    Platform Information

    NSS is maintained on the platforms listed in the table. "Build" means the iPlanet NSS team has built NSS on a machine with the specified OS. "Certified" means the iPlanet NSS team has run QA tests for NSS on a machine with the specified OS.
    Platform Build Certified Compiler(s)
    AIX 4.3.3 (32 bit) 4.3.3 (32 bit)
    4.3.3 (64 bit)
    xlC/C++ 3.6.4
    4.3.3 (64 bit) 4.3.3 (64 bit) xlC/C++ 3.6.4
    Compaq Tru64 4.0D  5.0A (cc) Digital C v5.6-071
    HP-UX 11.0 (32 bit) 11.0 (32 bit)
    11.0 (64 bit)
    C compiler: A.11.01.00
    11.0 (64 bit) 11.0 (64 bit) C compiler A.11.01.00
    Linux RedHat 6.0 RedHat 6.2 egcs-1.1.2
    Windows NT NT 4.0 w/ SP 6a NT 4.0 w/ SP 6a 
    Win2000
    VC++ 6.0 Service Pack 3
    Windows NT 4.0 w/ SP 6a
    NT 4.0 w/ SP 6a 
    Win2000
    VC++ 6.0 Service Pack 3
    Solaris SPARC 2.6 2.6
    8 (32 bit)
    8 (64 bit)
    WorkShop Compilers 
    C/C++ version 4.2 
    8 (64-bit) 8 (64-bit) WorkShop Compilers 
    C/C++ version 5.0
    Solaris Intel 8 8 Forte C/C++ 6 update 1

    NSS has not yet been formally tested or certified on any other platforms. If you have successfully run NSS on other platforms, or if you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to mozilla.dev.tech.crypto.

    Note about Windows NT builds: The build listed in the left column above as the "Windows NT" build runs on Windows NT (including Windows 2000) only and hence can potentially take advantage of some Win32 functions that are only implemented on Windows NT, such as fibers and I/O completion ports. The build listed above as the "Windows" build runs on all Windows flavors -- 95, 98, Me, NT, and 2000.

    Only NSPR makes use of this Windows NT vs. Windows distinction and provides different Windows NT and Windows builds. Many Netscape products, including NSS, have Windows NT and Windows builds that are essentially the same except one difference: one is linked with the Windows NT version of NSPR and the other is linked with the Windows version of NSPR.

    Note to Macintosh Developers: Due to a lack of resources, our team was unable to build and test NSS for the Macintosh platform. We are looking for help from any interested parties to test NSS 3.3 on Macintosh. For contact information, please see the Feedback section.


    Known Bugs and Issues

    1. NSS 3.3 uses mozilla/dbm, which is based on Berkeley DB 1.85. Berkeley DB 1.85 is released under the original BSD license, whose "advertising clause" is incompatible with the GNU GPL.

    In a letter dated July 22, 1999, UC Berkeley announced that the advertising clause is deleted from all the BSD Unix files (of any version of BSD) containing the clause. (The announcement is available at ftp.cs.berkeley.edu/ucb/4bsd/README.Impt.License.Change.) The final (AT&T proprietary) 4.4BSD release contained version 1.6 of Berkeley DB. The 4.4BSD-Lite2 release contained version 1.74 of Berkeley DB. Since Berkeley DB 1.85 is not technically in any version of BSD (although it is derived from the Berkeley DB files in 4.4BSD and 4.4BSD-Lite2), it is not clear whether the Berkeley announcement means that the advertising clause has been deleted from Berkeley DB 1.85.

    2. For a list of reported bugs that have not been fixed in NSS 3.3, click here. (Note that not all of these bugs have been confirmed. Even some bugs in the "new" state are unconfirmed.)


    Compatibility

    NSS 3.3 shared libraries are backward compatible with NSS 3.2 and NSS 3.2.1 shared libraries. A program linked with NSS 3.2 or 3.2.1 shared libraries will work with NSS 3.3 shared libraries without recompiling or relinking.  Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS 3.3 Public Functions will remain compatible with future versions of the NSS shared libraries.


    Feedback

    Bugs discovered should be reported by filing a bug report with bugzilla (product NSS).

    You can also give feedback directly to the developers on the IRC channel #mozcrypto on the server irc.mozilla.org.