You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS 3.11.1 Release Notes

05 May 2006




Network Security Services (NSS) 3.11.1 is a patch release for NSS 3.11. The bug fixes in NSS 3.11.1 are described in the "Bugs Fixed" section below.

Distribution Information

The CVS tag for the NSS 3.11.1 release is NSS_3_11_1_RTM.  NSS 3.11.1 requires NSPR 4.6.2.

See the Documentation section for the build instructions.

NSS 3.11.1 source and binary distributions are also available on for secure HTTPS download:

You also need to download the NSPR 4.6.2 binary distributions to get the NSPR 4.6.2 header files and shared libraries, which NSS 3.11.1 requires. NSPR 4.6.2 binary distributions are in

Bugs Fixed

The following bugs have been fixed in NSS 3.11.1.
  • Bug 80092: SSL write indicates all data sent when some is buffered
  • Bug 116168: TLS server name indication extension support in NSS
  • Bug 152426: delegation of HTTP download for OCSP
  • Bug 223242: The SSL session timeout arguments to SSL_ConfigServerSessionIDCache and SSL_ConfigMPServerSIDCache are ignored.
  • Bug 226271: implement RFC 3546 (TLS v1.0 extensions)
  • Bug 236245: Update ECC/TLS to conform to RFC 4492
  • Bug 238051: Enable SSL session reuse for ECC cipher suites
  • Bug 262375: need clobber_dbm and clobber_nspr targets
  • Bug 273637: 3 locks in softoken have unsafe initialization
  • Bug 274512: generating too much key material for some SSL ciphersuites
  • Bug 277334: pk12util can't import a pfx file encrypted with an empty password
  • Bug 287116: valgrind reports UMR in alg_fips186_1_x3_1
  • Bug 302658: sparc MPI code making run-time ISA determination
  • Bug 305697: Softoken needs to give on the fly access to additional databases.
  • Bug 309701: Softtoken C_CreateObject() should not require CKA_NETSCAPE_DB attribute to be present
  • Bug 310145: another stack overflow in mpp_make_prime
  • Bug 313680: add missing TLS cipher suites to SSLTAP
  • Bug 315793: shlibsign incorrectly runs from mozilla/security/nss/cmd/shlibsign
  • Bug 317856: uninitialized variables in strsclnt.c
  • Bug 317858: linking fails on Linux ppc and ppc64
  • Bug 318217: Change ssl_EmulateSendFile to use NSPR 4.1 features
  • Bug 319240: ssl_V3_SUITES_IMPLEMENTED is off by 3 when the FORTEZZA cipher suites were removed
  • Bug 319252: NSS crashes when generating NIST P512 EC keys.
  • Bug 319495: clean up Makefiles for command-line tools
  • Bug 319619: large ECC private keys cannot be exported through PKCS #11
  • Bug 320029: NSS crashes trying to make cert8.db from cert5.db
  • Bug 320038: NSS generates private keys for the NIST curve K-233 with the wrong length.
  • Bug 320047: mp_to_unsigned_octets copies nothing to the buffer if the mp_int is zero.
  • Bug 320187: NSC_WrapKey called with null output returns short length
  • Bug 320497: wrongly requires executable stack
  • Bug 320578: The distribution of k for ECDSA is not uniform.
  • Bug 320583: NSS ECDSA can only sign SHA-1
  • Bug 320589: Code cleanup in lib/freebl/ec.c
  • Bug 321161: crash occurs if no RSA key is present [[@ ssl2_BeginServerHandshake]
  • Bug 321350: Implement optimized code for NIST Suite B elliptic curves
  • Bug 321765: Allow NSS to import certs with unsupported critical extensions
  • Bug 321865: NSS coreconf file is needed for SunOS5.11 on x86 and Sparc
  • Bug 323079: When libsoftoken loads the freebl library
  • Bug 323196: NSS 3.11 does not build on RHEL21
  • Bug 323379: [[BeOS] Firefox build broken when signing security modules
  • Bug 323817: Truncation of hashes for ECDSA should be done at bit level
  • Bug 323977: Crash when build runs shlibsign on FreeBSD 5.4
  • Bug 324103: DB reference leaks in softoken prevent cert DB from being flushed at close
  • Bug 324448: Allow building NSS with MSVC without a standalone assembler
  • Bug 325305: minor memory leak in CERT_FindCertByNameString
  • Bug 325307: infinite loop in SECU_FindCrlIssuer
  • Bug 325494: Multipart verification broken for CKM_ECDSA_SHA1
  • Bug 325498: ECDSA verify does not conform to PKCS#11 v2.20
  • Bug 325657: Unset ECL_USE_FP for USE_ABI32_INT64 and USE_ABI64_INT Solaris SPARC freebl libraries
  • Bug 325682: rpath needs to be for some Linux builds
  • Bug 325683: EC param parsing error not propagated correctly
  • Bug 326144: softoken leaks in nsc_pbe_key_gen
  • Bug 326403: NSS builtin certificate module manufacturer is Netscape
  • Bug 326503: producing a ProofOfPossession signature on a EC CRMF fails
  • Bug 326690: modutil doesn't support AES
  • Bug 326754: Two minor bugs with the 'h' parameter in PQG_ParamGenSeedLen
  • Bug 326963: Interoperability test with apache/mod_ssl: tstclnt produces: assertion failure: secmod_PrivateModuleCount == 0
  • Bug 327105: With ECC enabled
  • Bug 327384: Buffer too small for NIST K-571 and B-571 curves
  • Bug 327405: Error generating EC keypairs (c2pnb163v? curves)
  • Bug 327677: cmsutil assertion failure
  • Bug 327855: Crash on entering https sites when security.OCSP.enabled=1
  • Bug 327978: Remove security/lib/freebl/GF*_ecl.*
  • Bug 328228: mismatches in certutil ECC curves
  • Bug 328262: Incorrect stress test cache statistics cause QA test failures
  • Bug 328514: SSL handshake error when using large ECC keys
  • Bug 329002: crash/assertion failure on shutdown after installing ECC cert
  • Bug 329058: mpmontg.c doesn't compile when MP_CHAR_STORE_SLOW is defined
  • Bug 329072: client sometimes fails to authenticate despite having cert
  • Bug 329575: EC_ValidatePublicKey gives false positives for NIST Koblitz (K-ddd) curves
  • Bug 330068: strsclnt fails without any visible error
  • Bug 330114: RSA_CheckSign does not check the length of padding string PS
  • Bug 331164: unsafe late initialization of Stan cert store object
  • Bug 331515: selfserv Bus error on 3DES ciphersuites
  • Bug 331648: signed/unsigned bug submitting CRMF cert requests
  • Bug 332279: SSL2 client auth stress tests fail when using auto cert selection
  • Bug 332350: SSL ECC negotiates wrong cipher suite for cert signature
  • Bug 333090: CKM_DH_PKCS_KEY_PAIR_GEN always fails
  • Bug 333389: sftk_NewAttribute should not crash when so is NULL [[@ sftk_NewAttribute]
  • Bug 333559: strsclnt needs option to disable SSL2 compatible client hellos
  • Bug 333600: ssltap should format and display TLS hello extensions and alerts
  • Bug 333657: certutil cannot generate RSA keys larger than 2048 bits
  • Bug 333679: certutil adds 3 months to user-specified validity period
  • Bug 333932: Solaris SPARC GCC NSS build fails in lib/freebl when using Solaris as to assemble assembly code
  • Bug 334057: 160 and 192 bit curves fail on AMD64 Red Hat builds
  • Bug 334183: Double free on error because CERT_FindCertIssuer unexpectedly calls CERT_DestroyCertificate
  • Bug 334234: PK11_NewSlotInfo returns freed objects if lock allocations fail
  • Bug 334236: double free in PK11_ListPrivKeysInSlot if keys allocation fails
  • Bug 334240: double free in nsslowkey_ConvertToPublicKey if SECITEM_CopyItem or SECITEM_CopyItem fail
  • Bug 334273: double free in SECKEY_DecodeDERSubjectPublicKeyInfo
  • Bug 334275: double free in [[@ PK11_ListPublicKeysInSlot]
  • Bug 334276: double free in [[@ SECKEY_CopyPublicKey]
  • Bug 334277: double free in [[@ sftk_FreeAttribute - sftk_DeleteAttributeType]
  • Bug 334314: Add missing ECC TLS cipher suites to ssltap
  • Bug 334326: DecodeV4DBCertEntry: Variable (entry)->nickname tracked as NULL was passed to a function that dereferences it.
  • Bug 334327: pk11_CreateNewContextInSlot: Variable (context)->key tracked as NULL was passed to a function that dereferences it.
  • Bug 334328: nsspkcs5_PKCS12PBE: Variable A tracked as NULL was dereferenced.
  • Bug 334436: nsslowcert_UpdateSubjectEmailAddr doesn't consistently use emailAddrs as a guard of nemailAddrs guarding emailAddrs[[0]
  • Bug 334438: oom Crash in ReadDBCertEntry
  • Bug 334442: Incorrect use of realloc oom Crash in secmod_ReadPermDB
  • Bug 334443: oom Crash in nssCKFWSession_Create
  • Bug 334446: oom Crash in nssCKFWFindObjects_Create
  • Bug 334449: oom Crash in crmf_template_copy_secalg
  • Bug 334454: Variable (key)->pkcs11Slot tracked as NULL was passed to a function that dereferences it. [[@ SECKEY_CopyPrivateKey - SSL_ConfigSecureServer]
  • Bug 334459: Variable cipherName tracked as NULL was passed to a function that dereferences it. [[@ PORT_Strdup - SSL_SecurityStatus]
  • Bug 334522: pk12util crash in SEC_PKCS12DecoderValidateBags
  • Bug 334533: FIPS DSA PQG Generation test failures
  • Bug 334553: NIST K- and B- curves don't work on HP-UX 11.11 PA-RISC
  • Bug 334843: Add rpath for HP-UX on pa-risc
  • Bug 336335: memory leaks in freebl with ECC and RSA cipher suites (CVE-2006-3127)


For a list of the primary NSS documentation pages on, see NSS Documentation.


NSS 3.11.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.11.1 shared libraries without recompiling or relinking.  Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.


Bugs discovered should be reported by filing a bug report with Bugzilla (product NSS).