You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

NSS 3.9 Release Notes

8 January 2004




Network Security Services (NSS) 3.9 is a minor release with the following new features:
  • GeneralizedTime support
  • etc.
NSS 3.9 is dual-licensed under the MPL and the GPL.

Distribution Information

The CVS tag for the NSS 3.9 release is NSS_3_9_RTM.  It has been certified with NSPR 4.4.1.

NSS 3.9 source and binary distributions are also available on for anonymous ftp download:

You also need to download the NSPR 4.4.1 binary distributions to get the NSPR 4.4.1 header files and shared libraries, which NSS 3.9 requires. NSPR 4.4.1 binary distributions are in

Bugs Fixed

For a list of all bugs that have been fixed in the NSS 3.9 release, click here.


For a list of the primary NSS documentation pages on, see NSS Documentation. New and revised documents available since the release of NSS 3.3 include the following: Source may be viewed with a browser (via the LXR tool) at

The following tools are supported in this release:

For documentation and other information about these tools, see NSS Tools.

Changes Since NSS 3.8

For a list of changes introduced in NSS 3.8, see NSS 3.8 Release Notes.

The sections that follow discuss specific changes since NSS 3.9 in more detail.

  1. The following new functions are added to the nss3 shared library:
    • CERT_DestroyOidSequence: #include "cert.h";
    • CERT_GetOidString: #include "cert.h";
    • CERT_TimeChoiceTemplate: this is data.  #include "certt.h";
    • DER_DecodeTimeChoice: #include "secder.h";
    • DER_EncodeTimeChoice: #include "secder.h";
    • DSAU_DecodeDerSigToLen: #include "cryptohi.h";
    • DSAU_EncodeDerSigWithLen: #include "cryptohi.h";
    • NSS_Get_CERT_TimeChoiceTemplate: #include "certt.h";
    • PK11_DeriveWithFlagsPerm: #include "pk11func.h";
    • PK11_ExportEncryptedPrivKeyInfo: #include "pk11func.h";
    • PK11_FindSlotsByNames: #include "pk11func.h";
    • PK11_GetSymKeyType: #include "pk11func.h";
    • PK11_MoveSymKey: #include "pk11func.h";
    • PK11_PubDeriveWithKDF: #include "pk11func.h";
    • PK11_PubUnwrapSymKeyWithFlagsPerm: #include "pk11func.h";
    • PK11_UnwrapSymKeyWithFlagsPerm: #include "pk11func.h";
    • SECITEM_ArenaDupItem: #include "secitem.h";
    • SECMOD_GetDBModuleList: #include "secmod.h";
    • SECMOD_GetDeadModuleList: #include "secmod.h";
    • SEC_ASN1DecoderAbort: #include "secasn1.h";
    • SEC_ASN1EncoderAbort: #include "secasn1.h";
    • SEC_DupCrl: #include "certdb.h";
  2. The nssckbi PKCS #11 module's version changed from 1.30 to 1.40.
  3. The previously exported header files blapi.h, secrng.h, and pqgutil.h become private.
  4. New exported header files
    • ecl-exp.h: included by blapit.h.
  5. blapit.h defines the following new macros:
    • #define RSA_MIN_MODULUS_BITS   128
    • #define DH_MIN_P_BITS         128
    • #define DH_MAX_P_BITS         1024
  6. nss.h defines the new macro SECMOD_DB, which is the platform-dependent name (a string constant) of the security modules database.
  7. secmodt.h definess new constants for the PK11CertListType enumeration:
    • PK11CertListCAUnique = 4,   /* get one instance of CA certs */
    • PK11CertListUserUnique = 5, /* get one instance of user certs */
    • PK11CertListAll = 6         /* get all instances of all certs */
  8. secmodt.h defines new macro CKA_FLAGS_ONLY (0).
  9. The following new functions are added to the smime3 shared library
    • SEC_PKCS7DecoderAbort: #include "secpkcs7.h";
    • SEC_PKCS7EncoderAbort: #include "secpkcs7.h";
  10. ssl.h defines a new macro  SSL_NO_STEP_DOWN (15).
  11. secasn1t.h defines a new macro SEC_ASN1D_MAX_DEPTH (32).
  12. seccomon.h defines new constants for the SECItemType enumeration
    • siUTCTime = 11
    • siGeneralizedTime = 12
  13. secerr.h defines a new error code SEC_ERROR_OCSP_INVALID_SIGNING_CERT (-8048).
  14. secoidt.h defines the following constants for the SECOidTag enumeration
    • SEC_OID_AVA_SURNAME              = 261
    • SEC_OID_AVA_SERIAL_NUMBER        = 262
    • SEC_OID_AVA_STREET_ADDRESS       = 263
    • SEC_OID_AVA_TITLE                = 264
    • SEC_OID_AVA_POSTAL_ADDRESS       = 265
    • SEC_OID_AVA_POSTAL_CODE          = 266
    • SEC_OID_AVA_POST_OFFICE_BOX      = 267
    • SEC_OID_AVA_GIVEN_NAME           = 268
    • SEC_OID_AVA_INITIALS             = 269
    • SEC_OID_AVA_PSEUDONYM            = 272
  15. secport.h defines a new macro PORT_Strpbrk.

Platform Information

NSS is maintained on the platforms listed in the table. "Build" means the NSS team has built NSS on a machine with the specified OS. "Certified" means the NSS team has run QA tests for NSS on a machine with the specified OS.

Platform Build Certify Compiler(s)
HP-UX 11.0 (32 bit) 11.0 C compiler: A.11.01.20
11.0 (64 bit) 11.0 C compiler A.11.01.20
Linux 2.4 Red Hat 7.1 Red Hat 7.1 gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-81)
NT Win2000 w/ SP 2 Win2000 w/ SP 2 
VC++ 6.0 Service Pack 4
Windows Win2000 w/ SP 2 Win2000 w/ SP 2 

Win95 OSR2 * 
Win98 SE * 
Win Me *

VC++ 6.0 Service Pack 4
Solaris SPARC 8 (32 bit) 8 (32 bit)
8 (64 bit)
Forte 6 update 2
8 (64 bit) 8
Forte 6 update 2
Mac OS X 10.2 10.2 Apple Computer, Inc. GCC version 1175, based on gcc version 3.1 20020420 (prerelease)

* Full QA certification will not be done on these platforms. We will only verify that PSM built with NSS 3.9 works on these platforms.

** Optional.

NSS has not yet been formally tested or certified on any other platforms. If you have successfully run NSS on other platforms, or if you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to

Note about Windows NT builds: The build listed in the left column above as the "Windows NT" build runs on Windows NT (including Windows 2000) only and hence can potentially take advantage of some Win32 functions that are only implemented on Windows NT, such as fibers and I/O completion ports. The build listed above as the "Windows" build runs on all Windows flavors -- 95, 98, Me, NT, and 2000.

Only NSPR makes use of this Windows NT vs. Windows distinction and provides different Windows NT and Windows builds. Many Netscape products, including NSS, have Windows NT and Windows builds that are essentially the same except one difference: one is linked with the Windows NT version of NSPR and the other is linked with the Windows version of NSPR.

Known Bugs and Issues

1. NSS 3.9 uses mozilla/dbm, which is based on Berkeley DB 1.85. Berkeley DB 1.85 is released under the original BSD license, whose "advertising clause" is incompatible with the GNU GPL.

In a letter dated July 22, 1999, UC Berkeley announced that the advertising clause is deleted from all the BSD Unix files (of any version of BSD) containing the clause. (The announcement is available at The final (AT&T proprietary) 4.4BSD release contained version 1.6 of Berkeley DB. The 4.4BSD-Lite2 release contained version 1.74 of Berkeley DB. Since Berkeley DB 1.85 is not technically in any version of BSD (although it is derived from the Berkeley DB files in 4.4BSD and 4.4BSD-Lite2), it is not clear whether the Berkeley announcement means that the advertising clause has been deleted from Berkeley DB 1.85.

2. For a list of reported bugs that have not been fixed in NSS 3.9, click here. (Note that not all of these bugs have been confirmed. Even some bugs in the "new" state are unconfirmed.)


NSS 3.9 shared libraries are backward compatible with NSS 3.2.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x, 3.7.x, and 3.8.x shared libraries. A program linked with NSS 3.2.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x, 3.7.x, or 3.8.x shared libraries will work with NSS 3.9 shared libraries without recompiling or relinking.  Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS 3.4 Public Functions will remain compatible with future versions of the NSS shared libraries.


Bugs discovered should be reported by filing a bug report with bugzilla (product NSS).

You can also give feedback directly to the developers on the IRC channel #mozcrypto on the server