You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



NSS 3.1 Release Notes

17 October 2000

Newsgroup: mozilla.dev.tech.crypto
Engineering lead: Bob Relyea
Product manager: Roland Jones
Engineering manager: Wan-Teh Chang

Important Bug Fix Information: NSS 3.1.1 fixes several bugs in the freebl library of NSS 3.1, including one that affects RSA key pair generation and other important operations. If you are using NSS with the freebl library, use NSS 3.1.1 rather than NSS 3.1. For details, see NSS 3.1.1 Release Notes.


Contents


Introduction

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. These libraries provide the security foundation for a variety of server products from iPlanet E-Commerce Solutions, including iPlanet Certificate Management System, iPlanet Web Server, iPlanet Directory Server, and iPlanet Messaging Server. NSS 3.1 provides, for the first time, a complete open-source implementation of the crypto libraries used to implement security features in these products, including a new implementation of the RSA algorithm. (For more information on the effects of the RSA algorithm going into the public domain, see the Mozilla Crypto FAQ. For schedule and other details of the plan for NSS 3.1, see NSS 3.1 Plan.)

The NSS libraries also underlie Personal Security Manager (PSM), which performs cryptographic operations on behalf of Netscape Communicator, Netscape 6, and other client applications.

If you are developing applications that support SSL, S/MIME, or other Internet security standards, you can now use NSS libraries to implement comparable security features in your own applications. NSS 3.1 also includes a framework to which developers and OEMs can contribute patches, such as assembler code, to optimize performance on their platforms.

NSS 3.1 is dual-licensed under the MPL and the GPL.


CVS Information

The CVS tag for the NSS 3.1 release is NSS_3_1_RTM.

Important: If you are using the freebl library to build NSS, use NSS 3.1.1 rather than NSS 3.1. For details, see NSS 3.1.1 Release Notes.


Bugs Fixed

For a list of the bugs that were fixed in the NSS 3.1 release, click here.


Documentation

For a list of the primary NSS documentation pages on mozilla.org, see NSS Documentation. New and revised documents available with this release include the following:

Source may be viewed with a browser (via the LXR tool) at http://lxr.mozilla.org/mozilla/source/security/nss/


Changes Since NSS 3.0

New functions and features include the following:
  • This release requires NSPR 4.0 and supports both NSPR 4.0 and 4.1 (because NSPR 4.1 is backward compatible with NSPR 4.0). To use NSS 3.1 under GPL, you must use NSPR 4.1, because that is the first version of NSPR covered by the dual license.
  • DES is implemented in this release.
  • The BigNum package used in this release is based on MPI: Arbitrary Precision Integer Arithmetic.
  • This release includes unencumbered crypto code on top of the BigNum package, including RSA public key, RSA private Key, Diffie-Hellman, Fortezza KEA, DSA sign, DSA verify, key generation, param generation and verification, and other algorithms.
  • This release includes a new implementation of a pseudo-random number generator that we believe to be FIPS-compliant.
  • This release includes an Arcfour implementation.
  • Root CAs
  • The S/MIME Toolkit can be used with this release.
  • This release enforces RNG seeding and provides a new initialization function. NSS 3.1 enforces a requirement it has always had--that the RNG be properly seeded before it is used. Application programs that call NSS_Init to initialize NSS already meet this requirement. If you wish to run NSS without setting up configuration files (that is, without using storage for the certificate and key database files), you must call the new initialization function NSS_NoDB_Init, which also seeds the RNG properly.
  • There is a new NSS initialization function NSS_InitReadWrite. NSS_InitReadWrite behaves similarly to NSS_Init, with the difference being that NSS_InitReadWrite opens a database and allows for read/write privileges.
  • The key and certificate database name callback functions that are passed as arguments to SECKEY_OpenKeyDB or CERT_OpenCertDB must return their result in memory allocated by an NSPR memory allocation function such as PR_Malloc.
  • This release supports IPv6 (PR_AF_INET6) sockets.
    We have also received patches for FreeBSD, NetBSD, and OS/2 ports in the past month. The OS/2 ports are from IBM.


Platform Information

NSS is maintained on the platforms listed below. "Certified" means the iPlanet NSS team has built and run QA tests for NSS on a machine with the specified OS.

Platform Build Certify Compiler(s)
AIX 4.3.3 (32 bit) 4.3.3 (32 bit)
4.3.3 (64 bit)
xlC/C++ 3.6.4
4.3.3 (64 bit) 4.3.3 (64 bit) xlC/C++ 3.6.4
Compaq Tru64 4.0D 4.0D 
5.0A
(cc) Digital C v5.6-071
HP-UX 11.0 (32 bit) 11.0 (32 bit)
11.0 (64 bit)
C compiler: A.11.01.00
11.0 (64 bit) 11.0 (64 bit) C compiler A.11.01.00
Linux RedHat 6.0 RedHat 6.0
RedHat 6.1
egcs-1.1.2
NT NT 4.0 w/ SP 6a NT 4.0 w/ SP 6a
Win2000
VC++ 6.0 Service Pack 3
Windows NT 4.0 w/ SP 6a
NT 4.0 w/ SP 6a
Win2000
VC++ 6.0 Service Pack 3
Solaris 2.6 2.6
8 (32 bit)
8 (64 bit)
WorkShop Compilers 
C/C++ version 4.2 
8 (64-bit) 8 (64-bit) WorkShop Compilers 
C/C++ version 5.0

Note to Macintosh Developers: Due to a lack of resources, our team was unable to develop NSS for the Macintosh platform. We are looking for help from any interested parties to modify the Macintosh project file for NSS 3.1. For contact information, please see the Feedback section.

NSS has not yet been formally tested or certified on any other platforms. If you have successfully run NSS on other platforms, or if you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to mozilla.dev.tech.crypto


Known Bugs and Issues

Bug #59438 in the freebl library of NSS 3.1, sometimes referred to as the "prime number generation bug," affects the following algorithms on all platforms:
  • Diffie-Hellman and DSA parameter generation: The parameter may not be a prime. Generation of Diffie-Hellman or DSA parameters is typically done only by a Certification Authority (e.g. in CMS), not in other client or server products.
  • RSA key pair generation: The keys may not contain the product of two primes. RSA key pair generation is done by all SSL servers, each time they are started up, to generate a "step down" key for use with export cipher suites. It is also done by all products that generate Certificate Signing Requests.
The bug described above has been fixed in NSS 3.1.1. Note that this bug does not affect products using NSS 3.1 with RSA BSAFE Crypto-C or Netscape's internal libcrypto library. It also does not affect any present releases of Personal Security Manager from Netscape or iPlanet, since those have all used the libcrypto library. However, it affects other releases of Personal Security Manager that may have used the NSS 3.1 freebl library.

NSS 3.1 uses mozilla/dbm, which is based on Berkeley DB 1.85. Berkeley DB 1.85 is released under the original BSD license, whose "advertising clause" is incompatible with the GNU GPL. In a letter dated July 22, 1999, UC Berkeley announced that the advertising clause is deleted from all the BSD Unix files (of any version of BSD) containing it. (The announcement is available at ftp.cs.berkeley.edu/ucb/4bsd/README.Impt.License.Change.) The final (AT&T proprietary) 4.4BSD release contained version 1.6 of Berkeley DB. The 4.4BSD-Lite2 release contained version 1.74 of Berkeley DB. Since Berkeley DB 1.85 is not technically in any version of BSD (although it is derived from the Berkeley DB files in 4.4BSD and 4.4BSD-Lite2), it is not clear whether the Berkeley announcement deletes the advertising clause from Berkeley DB 1.85.

For a list of known bugs that have not been fixed in NSS 3.1, please click here.


Compatibility

NSS 3.1 is backward compatible with NSS 3.0.x.


Feedback

Bugs discovered should be reported by filing a bug report with bugzilla (product NSS).

You can also give feedback directly to the developers on the IRC channel #mozcrypto on the server irc.mozilla.org.