You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS 3.11.8 Release Notes

08 November 2007




Network Security Services (NSS) 3.11.8 is a patch release for NSS 3.11. The bug fixes in NSS 3.11.8 are described in the "Bugs Fixed" section below.

Distribution Information

The CVS tag for the NSS 3.11.8 release is NSS_3_11_8_RTM.  NSS 3.11.8 requires NSPR 4.6.8.

See the Documentation section for the build instructions.

NSS 3.11.8 source and binary distributions are also available on for secure HTTPS download:

You also need to download the NSPR 4.6.8 binary distributions to get the NSPR 4.6.8 header files and shared libraries, which NSS 3.11.8 requires. NSPR 4.6.8 binary distributions are in

New in NSS 3.11.8

  • libssl had the following function added to allow to do automatic bypass:
    • SSL_CanBypass (see ssl.h)

Bugs Fixed

The following bugs have been fixed in NSS 3.11.8.
  • Bug 51429: RNG_SystemInfoForRNG possible netstat zombie process
  • Bug 233932: certutil -T crashes if -h <token> specifies a nonexistant token
  • Bug 289979: Three root CA certs don't have explicit CKA_TRUST_STEP_UP_APPROVED flags
  • Bug 294555: unexported api calls in p12plcy.h
  • Bug 294557: unexported api calls in pkcs12.h
  • Bug 301528: RSA certificate request succeeds even when underlying pkcs11 module returns error
  • Bug 308275: Leaks related to nssCKFWInstance_CreateMutex
  • Bug 325672: NSS needs a function to indicate usability of the bypass feature
  • Bug 338688: NSS allocation functions don't always set SEC_ERROR_NO_MEMORY
  • Bug 351769: pk12util leaks password strings
  • Bug 352929: Remove unused function DER_Decode
  • Bug 366553: libSSL leaks global array of trusted client auth CA names
  • Bug 376748: Infinite loop in CERT_CertChainFromCert
  • Bug 376894: Make DEBUG_PKCS11 work for optimized builds
  • Bug 378489: Add multiple new roots to NSS
  • Bug 381718: Bug in PK11_ListPrivKeysInSlot
  • Bug 387052: OOM crash in softoken
  • Bug 388824: Misaligned structures in pkcs11 result in crash on 64-bit Windows
  • Bug 390187: PK11_FindCertFromNickname sets no error code when token not found
  • Bug 392208: PK11_FindCertByIssuerAndSN must validate input arguments (Tbird crashes with bug 379190 testcase)
  • Bug 392846: Do not send hello extensions when using SSL v3.0
  • Bug 394040: Tstclnt crashed in NISCC testing.
  • Bug 394202: ssl_GetPrivate can corrupt non-SSL private structures
  • Bug 394271: two public SSL functions require PRFD* to point to SSL layer
  • Bug 396653: Get rid of lib/asn1
  • Bug 400119: Fix UMRs in getLibName()
  • Bug 400711: SSL_CanBypass leaks memory
  • Bug 401057: crmftest crashes in crmf_copy_bitstring
  • Bug 401071: pk11mode crashes on Win64


For a list of the primary NSS documentation pages on, see NSS Documentation. New and revised documents available since the release of NSS 3.9 include the following:


NSS 3.11.8 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.11.8 shared libraries without recompiling or relinking.  Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.


Bugs discovered should be reported by filing a bug report with Bugzilla (product NSS).