You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.

Skip to main content

Network Security Services (NSS)

Primary Newsgroup: mozilla.dev.tech.crypto
Alternate Newsgroup: mozilla.dev.tech.crypto

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. For detailed information on standards supported, see Overview of NSS.

NSS is available under the Mozilla Public License, the GNU General Public License, and the GNU Lesser General Public License. For information on downloading NSS releases as tar files, see Download PKI Source.

To participate in ongoing technical discussions related to NSS, tune in to the newsgroup using one of the above links.

In this document

Project Information

NSS 3.11.4 has been released. We are working on NSS 3.12.

17 November 2006: NSS 3.11.4 Release

NSS 3.11.4 is the version that we submitted to NIST for FIPS 140-2 validation. The CVS tag is NSS_3_11_4_RTM. NSS 3.11.4 may be used with NSPR 4.6.4 (CVS tag NSPR_4_6_4_RTM) or later.

NSS 3.11.4 is a patch release for NSS 3.11. For the list of the bugs that have been fixed in NSS 3.11.4, see NSS 3.11.4 Release Notes.

19 May 2005: NSS 3.10 Release

NSS 3.10 was completed on 27 April 2005. The CVS tag is NSS_3_10_RTM. It is the first release in which the DBM library (mozilla/dbm and mozilla/security/dbm) became part of the NSS source tree. NSS 3.10 may be used with NSPR 4.5.1 (CVS tag NSPR_4_5_1_RTM) or later. We will post the release notes here soon.

19 May 2005: NSS 3.9.5 Release

NSS 3.9.5 is the latest patch release for NSS 3.9. The CVS tag is NSS_3_9_5_RTM.

8 January 2004: NSS 3.9 Release

The new features and enhancements in NSS 3.9 include GeneralizedTime support, RFC 3280 compliant name constraints, and the ability to list duplicate certificate instances in multiple tokens. NSS 3.9 passes all the NISCC SSL/TLS and S/MIME tests (1.6 million test cases of invalid input data) without crashes or memory leaks. We recommend that all NSS customers upgrade to NSS 3.9 in the next release of your product. For details, see NSS 3.9 Release Notes.

20 June 2003: NSS 3.7.7 Release

NSS 3.7.7 is a patch release for NSS 3.7. For the list of the bugs that have been fixed in NSS 3.7.7, see NSS 3.7.7 Release Notes.

21 May 2003: NSS 3.7.5 Release

NSS 3.7.5 is a patch release for NSS 3.7. For the list of the bugs that have been fixed in NSS 3.7.5, see NSS 3.7.5 Release Notes.

10 April 2003: NSS 3.8 Release

The new features and enhancements in NSS 3.8 include the SHA-256, SHA-384, and SHA-512 algorithms, enhanced smartcard support, and the elliptic curve cryptography code (not compiled by default) contributed by Sun Labs. For details, see NSS 3.8 Release Notes.

20 March 2003: NSS 3.7.3 Release

NSS 3.7.3 is a patch release for NSS 3.7. For the list of the bugs that have been fixed in NSS 3.7.3, see NSS 3.7.3 Release Notes.

10 March 2003: NSS 3.7.2 Release

NSS 3.7.2 is a patch release for NSS 3.7. For the list of the bugs that have been fixed in NSS 3.7.2, see NSS 3.7.2 Release Notes.

4 March 2003: NSS 3.4.3 Release

NSS 3.4.3 is a patch release for NSS 3.4. For the list of the bugs that have been fixed in NSS 3.4.3, see NSS 3.4.3 Release Notes.

27 Febrary 2003: Security Vulnerability: Vaudenay Timing Attack on CBC mode block ciphers

Recently a timing-based attack on SSL/TLS implementations of CBC mode block cipher suites was disclosed. At present the implementation of SSL and TLS in NSS is susceptible to this method. The flaw is exploited on the recipient of sensitive data, which is normally servers. Servers are vulnerable to the attack only if they implement all of the following:

  • TLS (supported by NSS 2.8 and later);
  • cipher suites that use block ciphers;
  • application protocols that are likely to receive sensitive data (for example, passwords) at exactly the same offset in many messages from a client.

We have implemented a countermeasure and will release NSS patch releases soon. Until updated NSS libraries are available, we recommend the following action:

  • Netscape/mozilla browser users do not need to take any action. They could choose to disable TLS or disable CBC mode block ciphersuites as a precaution against vulnerable servers.
  • Administrators of servers that are based on NSS 2.8 or later and that enable TLS need to take action. They could disable TLS or disable CBC mode block cipher suites.

For more information, please see our article on this security flaw.

29 January 2003: NSS 3.7.1 Release

NSS 3.7.1 is a patch release for NSS 3.7. For the list of the bugs that have been fixed in NSS 3.7.1, see NSS 3.7.1 Release Notes.

20 December 2002: NSS 3.7 Release

The new features and enhancements in NSS 3.7 include a new version of the NSS certificate database that supports large CRLs and multiple email addresses for the subject of a certificate. For details, see NSS 3.7 Release Notes.

4 December 2002: NSS 3.6.1 Release

NSS 3.6.1 is a patch release for NSS 3.6. For the list of the bugs that have been fixed in NSS 3.6.1, see NSS 3.6.1 Release Notes.

18 October 2002: NSS 3.6 Release

The new features and enhancements in NSS 3.6 include new certificate handling and SSL functions, better certificate path construction, significantly improved CRL performance and memory usage, better SSL client authentication performance, and PKCS #11 session logging. For details, see NSS 3.6 Release Notes.

July 2002: NSS 3.5 Release

NSS 3.5 is an interim release created for Mozilla 1.0.1 and Netscape 7. We recommend that other NSS clients upgrade to NSS 3.6.

10 June 2002: NSS 3.4.2 Release

NSS 3.4.2 is a patch release for NSS 3.4. For the list of the bugs that have been fixed in NSS 3.4.2, see NSS 3.4.2 Release Notes.

6 May 2002: NSS 3.4.1 Release

NSS 3.4.1 is a patch release for NSS 3.4. For the list of the bugs that have been fixed in NSS 3.4.1, see NSS 3.4.1 Release Notes.

6 May 2002: NSS 3.4 Release

NSS 3.4 contains a partial implementation of the core NSS 4.0 (code name Stan) functions and supports the new TLS AES ciphersuites. For details, see NSS 3.4 Release Notes.

12 December 2001: NSS 3.3.2 Release

NSS 3.3.2 is a patch release for NSS 3.3. For the list of the bugs that have been fixed in NSS 3.3.2, see NSS 3.3.2 Release Notes.

9 November 2001: NSS 3.3.1 Release

NSS 3.3.1 is a patch release for NSS 3.3. For the list of the bugs that have been fixed in NSS 3.3.1, see NSS 3.3.1 Release Notes.

26 July 2001: NSS 3.3 Release

NSS 3.3 enables JSS (3.1 or newer) to use NSS shared libraries and implements five new DHE cipher suites for SSL/TLS on the client side.  For details, see NSS 3.3 Release Notes.

Source code for a Java interface to NSS is available in the Mozilla CVS tree. For details, see Network Security Services for Java.

NSS 3.3 source is available via CVS and may be viewed in HMTL (via the LXR tool) at http://lxr.mozilla.org/mozilla/source/security/nss/.

6 April 2001: NSS 3.2.1 Release

NSS 3.2.1 provides improved SSL performance and fixes bugs in pk12util and some certificate query operations. For details, see NSS 3.2.1 Release Notes.

NSS 3.2.1 also facilitates simplified build instructions. For details, see Build Instructions for NSS 3.2.1 Release. For background information on the build system and proposals for future changes, see The NSS Build System: History and Future Directions.

2 March 2001: NSS 3.2 Release

NSS 3.2 provided support for shared libraries for the first time. For details, see NSS 3.2 Release Notes.

Applications that use only the NSS 3.2 Public Functions exported by the NSS 3.2 DLLs are guaranteed to work with future versions of the shared libraries.

S/MIME Toolkit Module

See S/MIME Toolkit for information about NSS libraries designed to support cross-platform development of S/MIME applications. Originally created to support S/MIME in Communicator 4.x and Personal Security Manager (PSM), these libraries form the basis of a new S/MIME Toolkit for cross-platform development of S/MIME applications.

SSL/TLS Module

See SSL/TLS for information about NSS libraries designed to support cross-platform development of SSL- and TLS-enabled applications. These libraries form the basis of the SSL module.

Documentation

Background information:

History:

NSS APIs:

  • Introduction to Network Security Services. Provides an overview of the NSS 3.2 libraries and what you need to know to use them.
  • NSS Public Functions summarizes the APIs exported by the NSS shared libraries. These APIs are guaranteed to work with future versions of NSS shared libraries.
  • SSL Reference. API used to invoke SSL operations.
  • NSS API Guidelines. Explains how the libraries and code are organized, and guidelines for developing code (naming conventions, error handling, thread safety, etc.)
  • NSS Technical Notes. Links to NSS technical notes, which provide latest information about new NSS features and supplementary documentation for advanced topics in programming with NSS.

Tools, testing, and other technical details:

PKCS #11 information for implementors of cryptographic modules:

CA certificates pre-loaded into NSS

NSS is built on top of Netscape Portable Runtime (NSPR); developers using NSS must call some NSPR functions. For information on NSPR, see the following:

Mozilla CVS Information

The CVS tags for various NSS releases can be found in the NSS release notes.

NSS source code is in the mozilla/security/coreconf/ and mozilla/security/nss/ directories.