NSS 3.1 Release Notes
17 October 2000
Important Bug Fix Information: NSS 3.1.1 fixes several bugs in the freebl library of NSS 3.1, including one that affects RSA key pair generation and other important operations. If you are using NSS with the freebl library, use NSS 3.1.1 rather than NSS 3.1. For details, see NSS 3.1.1 Release Notes.
- Bugs Fixed
- Changes Since NSS 3.0
- Known Bugs and Issues
- Bugs Fixed
Introduction Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. These libraries provide the security foundation for a variety of server products from iPlanet E-Commerce Solutions, including iPlanet Certificate Management System, iPlanet Web Server, iPlanet Directory Server, and iPlanet Messaging Server. NSS 3.1 provides, for the first time, a complete open-source implementation of the crypto libraries used to implement security features in these products, including a new implementation of the RSA algorithm. (For more information on the effects of the RSA algorithm going into the public domain, see the Mozilla Crypto FAQ. For schedule and other details of the plan for NSS 3.1, see NSS 3.1 Plan.)
The NSS libraries also underlie Personal Security Manager (PSM), which performs cryptographic operations on behalf of Netscape Communicator, Netscape 6, and other client applications.
If you are developing applications that support SSL, S/MIME, or other Internet security standards, you can now use NSS libraries to implement comparable security features in your own applications. NSS 3.1 also includes a framework to which developers and OEMs can contribute patches, such as assembler code, to optimize performance on their platforms.
NSS 3.1 is dual-licensed under the MPL and the GPL.
CVS Information The CVS tag for the NSS 3.1 release is NSS_3_1_RTM.
Important: If you are using the freebl library to build NSS, use NSS 3.1.1 rather than NSS 3.1. For details, see NSS 3.1.1 Release Notes.
Bugs Fixed For a list of the bugs that were fixed in the NSS 3.1 release, click here.
Documentation For a list of the primary NSS documentation pages on mozilla.org, see NSS Documentation. New and revised documents available with this release include the following:
- Build Instructions for NSS have been updated for use either with or without the BSAFE library.
- NSS Test Suite describes how to run the standard NSS tests.
- NSS Contributors lists major contributors to the NSS project.
- Encryption Technologies Available in Netscape 6.x, Personal Security Manager, and the iPlanet Servers lists the cryptographic algorithms used by products built on top of NSS.
- NSS 3.1 Loadable Root Certificates. Describes the new NS 3.1 scheme for loading root CA certificates.
Source may be viewed with a browser (via the LXR tool) at http://lxr.mozilla.org/mozilla/source/security/nss/
Changes Since NSS 3.0 New functions and features include the following:
- This release requires NSPR 4.0 and supports both NSPR 4.0 and 4.1 (because NSPR 4.1 is backward compatible with NSPR 4.0). To use NSS 3.1 under GPL, you must use NSPR 4.1, because that is the first version of NSPR covered by the dual license.
- DES is implemented in this release.
- The BigNum package used in this release is based on MPI: Arbitrary Precision Integer Arithmetic.
- This release includes unencumbered crypto code on top of the BigNum package, including RSA public key, RSA private Key, Diffie-Hellman, Fortezza KEA, DSA sign, DSA verify, key generation, param generation and verification, and other algorithms.
- This release includes a new implementation of a pseudo-random number generator that we believe to be FIPS-compliant.
- This release includes an Arcfour implementation.
- Root CAs
- Root CAs load as a separate module. Each vendor has a separate directory. To view the plugin in LXR, see http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/.
- Individual applications, rather than NSS, determine which root CAs are included.
- The S/MIME Toolkit can be used with this release.
- This release enforces RNG seeding and provides a new initialization function. NSS 3.1 enforces a requirement it has always had--that the RNG be properly seeded before it is used. Application programs that call NSS_Init to initialize NSS already meet this requirement. If you wish to run NSS without setting up configuration files (that is, without using storage for the certificate and key database files), you must call the new initialization function NSS_NoDB_Init, which also seeds the RNG properly.
- There is a new NSS initialization function NSS_InitReadWrite. NSS_InitReadWrite behaves similarly to NSS_Init, with the difference being that NSS_InitReadWrite opens a database and allows for read/write privileges.
- The key and certificate database name callback functions that are passed as arguments to SECKEY_OpenKeyDB or CERT_OpenCertDB must return their result in memory allocated by an NSPR memory allocation function such as PR_Malloc.
- This release supports IPv6 (PR_AF_INET6) sockets.
We have also received patches for FreeBSD, NetBSD, and OS/2 ports in the past month. The OS/2 ports are from IBM.
Platform Information NSS is maintained on the platforms listed below. "Certified" means the iPlanet NSS team has built and run QA tests for NSS on a machine with the specified OS.
|AIX||4.3.3 (32 bit)||4.3.3 (32 bit)
4.3.3 (64 bit)
|4.3.3 (64 bit)||4.3.3 (64 bit)||xlC/C++ 3.6.4|
|(cc) Digital C v5.6-071|
|HP-UX||11.0 (32 bit)||11.0 (32 bit)
11.0 (64 bit)
|C compiler: A.11.01.00|
|11.0 (64 bit)||11.0 (64 bit)||C compiler A.11.01.00|
|Linux||RedHat 6.0||RedHat 6.0
|NT||NT 4.0 w/ SP 6a||NT 4.0 w/ SP 6a
|VC++ 6.0 Service Pack 3|
|Windows||NT 4.0 w/ SP 6a||
NT 4.0 w/ SP 6a
|VC++ 6.0 Service Pack 3|
8 (32 bit)
8 (64 bit)
C/C++ version 4.2
|8 (64-bit)||8 (64-bit)||WorkShop Compilers
C/C++ version 5.0
Note to Macintosh Developers: Due to a lack of resources, our team was unable to develop NSS for the Macintosh platform. We are looking for help from any interested parties to modify the Macintosh project file for NSS 3.1. For contact information, please see the Feedback section.
NSS has not yet been formally tested or certified on any other platforms. If you have successfully run NSS on other platforms, or if you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to mozilla.dev.tech.crypto
Known Bugs and IssuesBug #59438 in the freebl library of NSS 3.1, sometimes referred to as the "prime number generation bug," affects the following algorithms on all platforms:
- Diffie-Hellman and DSA parameter generation: The parameter may not be a prime. Generation of Diffie-Hellman or DSA parameters is typically done only by a Certification Authority (e.g. in CMS), not in other client or server products.
- RSA key pair generation: The keys may not contain the product of two primes. RSA key pair generation is done by all SSL servers, each time they are started up, to generate a "step down" key for use with export cipher suites. It is also done by all products that generate Certificate Signing Requests.
NSS 3.1 uses mozilla/dbm, which is based on Berkeley DB 1.85. Berkeley DB 1.85 is released under the original BSD license, whose "advertising clause" is incompatible with the GNU GPL. In a letter dated July 22, 1999, UC Berkeley announced that the advertising clause is deleted from all the BSD Unix files (of any version of BSD) containing it. (The announcement is available at ftp.cs.berkeley.edu/ucb/4bsd/README.Impt.License.Change.) The final (AT&T proprietary) 4.4BSD release contained version 1.6 of Berkeley DB. The 4.4BSD-Lite2 release contained version 1.74 of Berkeley DB. Since Berkeley DB 1.85 is not technically in any version of BSD (although it is derived from the Berkeley DB files in 4.4BSD and 4.4BSD-Lite2), it is not clear whether the Berkeley announcement deletes the advertising clause from Berkeley DB 1.85.
For a list of known bugs that have not been fixed in NSS 3.1, please click here.
Compatibility NSS 3.1 is backward compatible with NSS 3.0.x.
Feedback Bugs discovered should be reported by filing a bug report with bugzilla (product NSS).
You can also give feedback directly to the developers on the IRC channel #mozcrypto on the server irc.mozilla.org.