You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS 3.10 Release Notes

25 April 20005




Network Security Services (NSS) 3.10 is a minor release with the following new features:
  • NSS 3.10 is published under the tri-licence MPL 1.1/GPL 2.0/LGPL 2.1
  • NSS 3.10 added support for RAM CRLs, without writing to the database.

Distribution Information

The CVS tag for the NSS 3.10 release is NSS_3_10_RTM.  It has been certified with NSPR 4.5.2.

NSS 3.10 source and binary distributions are also available on for anonymous ftp download:

You also need to download the NSPR 4.5.2 binary distributions to get the NSPR 4.5.2 header files and shared libraries, which NSS 3.10 requires. NSPR 4.5.2 binary distributions are in


For a list of the primary NSS documentation pages on, see NSS Documentation.

New in NSS 3.10

The sections that follow discuss specific changes in NSS 3.10 in more detail.

  • The following functions are added to the nss library:
    • CERT_CacheCRL (see cert.h)
      CERT_DecodeAltNameExtension (see cert.h)
      CERT_DecodeAuthInfoAccessExtension (see cert.h)
      CERT_DecodeAuthKeyID (see cert.h)
      CERT_DecodeCRLDistributionPoints (see cert.h)
      CERT_DecodeNameConstraintsExtension (see cert.h)
      CERT_DecodePrivKeyUsagePeriodExtension (see cert.h)
      CERT_DestroyUserNotice (see cert.h)
      CERT_FinishCertificateRequestAttributes (see cert.h)
      CERT_GetCertificateNames (see cert.h)
      CERT_GetCertificateRequestExtensions (see cert.h)
      CERT_GetNextGeneralName (see cert.h)
      CERT_GetNextNameConstraint (see cert.h)
      CERT_GetPrevGeneralName (see cert.h)
      CERT_GetPrevNameConstraint (see cert.h)
      CERT_MergeExtensions (see cert.h)
      CERT_StartCertificateRequestAttributes (see cert.h)
      CERT_StartCRLEntryExtensions (see cert.h)
      CERT_StartCRLExtensions (see cert.h)
      CERT_UncacheCRL (see cert.h)
      HASH_Clone (see sechash.h)
      HASH_HashBuf (see sechash.h)
      HASH_ResultLenByOidTag (see sechash.h)
      HASH_ResultLenContext (see sechash.h)
      SEC_GetSignatureAlgorithmOidTag (see cryptohi.h)
      SECKEY_CacheStaticFlags (see keyhi.h)
      SECOID_AddEntry (see secoid.h)
  • The following functions are added to the smime library:
    • SEC_PKCS12DecoderIterateInit (see p12.h)
      SEC_PKCS12DecoderIterateNext (see p12.h)
      SEC_PKCS12DecryptionAllowed (see p12plcy.h)
  • NSS 3.10 provides 2 new include files:
    • pk11priv.h
  • The maximum key size for the PKCS#11 module DH_MAX_P_BITS is changed from 1024 to 2236 (see blapit.h for details).
  • cert.h: New CRL option CRL_DECODE_ADOPT_HEAP_DER
  • keythi.h defines the following macros:
    • SECKEY_Attributes_Cached
  • The nssckbi PKCS #11 module's version changed to 1.50.
  • pkcs11n.h defines the new following macros:
    • Trust attributes - "usage" key information
      Netscape-defines return values
  • secerr.h defines new revocation errors:
  • secmodt.h defines the following:
    • new evControlMask flags to tell the current state of a SECMOD_WaitForAnyTokenEvent
      CRL import flags
  • secoidt.h defines new OIDs:

Bugs Fixed

  • Bug 284386: Build error using gcc4 (oiddata.h
  • Bug 282610: Move SVRCORE functionality into NSS
  • Bug 286298: Remove the PKCS11_STATIC_ATTRIBUTES macro
  • Bug 286302: Make PK11_CreateSymKey static
  • Bug 286313: pk11_getKeyFromList can call PORT_Alloc instead of PORT_ZAlloc
  • Bug 286318: Optimize frequently called function pk11_SessionFromHandle
  • Bug 286439: Remove PKCS11_USE_THREADS and PK11_USE_THREADS
  • Bug 288657: pk11_AnyUnwrapKey does not process error condition correctly
  • Bug 290233: printf format related compiler warnings
  • Bug 180268: SSL step-up Government approval trust flags missing
  • Bug 257604: NSS deletes PKCS#11 session objects after closing the session
  • Bug 269581: NSS calls C_GetAttributeValue unnecessarily when token is logged in
  • Bug 272327: AMD64 assembly multiply routine for freebl / mpi
  • Bug 280121: Can not encode CRL using classic ASN.1 encoder: unable to encode with the combination of SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL template flags.
  • Bug 287654: NSC_Encrypt with RSA mechanism crashes if len is greater than modulus len
  • Bug 290121: NSS doesn't fetch CRLs during the first minute of program execution on AIX
  • Bug 286505: certutil has infinite loop in interactive mode for cert extensions
  • Bug 288227: nss3.10 certutil sees 3.9.x root certs as government issued
  • Bug 291555: certutil -R creates a CSR with ext req list even when number of exts is zero.
  • Bug 244929: bad CRMF lib assertion hides errors in debug builds
  • Bug 245943: CERT_DestroyCertificate crashes on CMMF decoded cert
  • Bug 289529: NSC_CopyObject crashes when trying to copy token object
  • Bug 291542: regression crash in certutil when request has no attributes
  • Bug 232380: A cert may be destroyed twice in CERT_FindExpiredIssuer and cert_VerifyCertChain
  • Bug 232483: NSS 3.9.1 needs a new release of DBM (DBM 1.7)
  • Bug 276180: PK11_HashBuf will crash if given a NULL buffer or a negative length
  • Bug 279542: [[s390] nsinstall is segfaulting during the build process
  • Bug 287495: Please add Go Daddy root certs to NSS
  • Bug 290217: Build DBM from sources in the gmake import build method
  • Bug 285233: need extra symbols to be exported by NSS library to support crl generation
  • Bug 287625: rsaperf should run multithreaded
  • Bug 231659: UTF-8 decoder accepts overlong sequences
  • Bug 233605: partial CRL decoding skips entry extension checks
  • Bug 243585: NSS needs to be able to store CRL and other objects even when initialized with Read Only databases.
  • Bug 249310: selfserv does not have an option to disable SSL2
  • Bug 259896: Make rsaperf use PKCS#11
  • Bug 266940: MAX_THREADS in selfserv should be higher
  • Bug 268521: C_CloseSession is invoked after C_CloseAllSessions during NSS_Shutdown
  • Bug 270742: Incorporate AMD64 assembler implementation of arcfour
  • Bug 281761: VFY_CreateContext passes wrong key object to DecryptSigBlock
  • Bug 283761: selfserv use of memset is inefficient
  • Bug 283765: uninitialized memory read on NSSUsage structure
  • Bug 285237: RPATH not set on AMD64 platform for and tools
  • Bug 288726: C_Finalize status not checked in SECMOD_CancelWait
  • Bug 263779: certutil doesn't place or handle extensions in cert requests
  • Bug 285208: certutil -C78 creates invalid cert with two subjAltName extensions
  • Bug 124923: The dynamic oid hash table (oid_d_hash in secoid.c) is not thread-safe
  • Bug 132942: RFE: better parsing and display of certificates
  • Bug 148452: SSL_ConfigSecureServer always generates a step-down key for RSA
  • Bug 178898: ASN.1 decoder used without arena in lib/crmf
  • Bug 197964: incorrect handling of certificate with two CN's
  • Bug 210179: pk12util produces grossly inflated pkcs 12 files
  • Bug 219080: Support for GeneralizedTime in CRMF libraries
  • Bug 222726: SSL_NO_CACHE option should obviate server cache
  • Bug 230159: leaks
  • Bug 231775: NSS error -8101 for Verisign SSL step up certs
  • Bug 231881: export cert functions that decode extensions
  • Bug 232738: PKITS test 4.7.5 fails
  • Bug 232937: crlutil returns 0 when import fails
  • Bug 233019: CERT_FindCertByKeyID crashes using NULL ptr
  • Bug 235617: CERT_DecodeTrustString crashes if either input arg is NULL
  • Bug 237724: crash in NSS server if server SID cache uninitialized
  • Bug 240456: OCSP fails if responder's cert key usage is non-repudiation only
  • Bug 242146: no slop time for nextUpdate time in OCSP responses
  • Bug 243245: addbuiltins program fails on Windows
  • Bug 243580: no license block in nss/cms/pk11util/pk11table.c
  • Bug 243655: pk11util crashes when using indexed array element
  • Bug 245429: ASN1 encoder asserts on CMMF templates
  • Bug 247737: PK11_PQG_ParamGenSeedLen returns invalid PQGParams and Verify
  • Bug 247738: makepqg outputs invalid PQGParams
  • Bug 247739: certutil program fails to read PQG files
  • Bug 258362: Export more libSMIME functions
  • Bug 258366: port PKCS1 v1.5 data encryption funcs from 3.9 branch
  • Bug 263596: cmsutil segfaults when cert doesn't contain email address
  • Bug 263691: UMR in get_nss_trust
  • Bug 266651: case sensitive comparison done on wildcard hostnames in certs
  • Bug 273611: Add end of list marker to SECErrorCodes enum in secerr.h
  • Bug 283642: pk11wrap functions pass invalid key handle to modules
  • Bug 284191: pp incorrectly prints cert request attributes
  • Bug 284200: No public way to parse Sequence of Extension on Windows
  • Bug 289817: ssltap creates cert files containing garbage
  • Bug 289819: certutil -A reports extension not found if file has extra data
  • Bug 233320: pk11_OpenKeyDB returns SECFailure.
  • Bug 273624: NSS_Initialize diagnostics aren't sufficiently precise; regression from 3.3.x to 3.9.x
  • Bug 283690: NSS improperly handles PKCS11 sessions for SSL derived keys.
  • Bug 123693: Memory leaks in the error paths in softoken/pkcs11.c
  • Bug 233048: 64bit build does not work on solaris with gcc
  • Bug 233239: zlib.h
  • Bug 233319: Better DLL search path in cmd/shlibsign/
  • Bug 246130: pk11wrap NSS source files are too large and should be broken up
  • Bug 248435: CERT_DecodeGeneralName not in public header file
  • Bug 261794: Some .cvsignore files in NSS tree mention files which are used
  • Bug 267158: Spurious conflicts on update because of RCS tags
  • Bug 282367: Export CERT_DestroyUserNotice
  • Bug 282370: Add OID for PKIX_CA_ISSUERS
  • Bug 282527: certutil -C changes -8 (dns alt name ext) option to -7 (email ext)
  • Bug 290345: Changes in NSS's public interface between NSS_3_9_RTM and NSS_3_10_RTM
  • Bug 178895: Quick decoder updates in lib/cryptohi
  • Bug 178897: Quick decoder updates in lib/pkcs7 lib/pkcs12 lib/smime lib/util
  • Bug 225808: CERTCertificate.nsCertType is unsigned int but is passed to PR_AtomicSet
  • Bug 236964: add dbprefix option for selfserv
  • Bug 290120: Compile source files with absolute pathnames on AIX
  • Bug 280602: add pk12util feature to provide detailed list of p12 file contents
  • Bug 221737: vfychain should return 0 or 1
  • Bug 248751: signtool should create XPInstall compatible signed archives
  • Bug 249330: signtool sources are a MESS - no single coding style
  • Bug 273444: Not all generic hash api functions are exported e.g. HASH_HashBuf
  • Bug 229293: lib/base/arena.c: unary minus operator applied to unsigned type
  • Bug 229297: lib/crmf/crmfdec.c: conversion from 'double ' to 'long '
  • Bug 233321: utf8.c doesn't build as a standalone test program.
  • Bug 249284: Duplicate declaration of CERT_DecodeDERCertificate (compiler warnings)
  • Bug 267839: Use $< and $@ where appropriate
  • Bug 268502: Some problems in ckfw.h
  • Bug 288095: Unnecessary private exports from lib/softoken
  • Bug 265786: unused variable warnings in QuickDER
  • Bug 233112: certutil typo: futuer should be future
  • Bug 196353: NSS deletes PKCS#11 session objects after session was closed
  • Bug 131826: upgrade zlib version in cmd/zlib
  • Bug 275576: Add Camerfirma CA certificate to NSS
  • Bug 280744: Add NetLock CA certificates to NSS
  • Bug 274723: Add XRamp CA Certificate to NSS


NSS 3.10 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.10 shared libraries without recompiling or relinking.  Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.


Bugs discovered should be reported by filing a bug report with bugzilla (product NSS).

You can also give feedback directly to the developers on the IRC channel #mozcrypto on the server