You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



NSS 3.1.1 Release Notes

5 December 2000

Newsgroup: mozilla.dev.tech.crypto
Engineering lead: Bob Relyea
Product manager: Roland Jones
Engineering manager: Wan-Teh Chang


Contents


Introduction

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. These libraries provide the security foundation for a variety of server products from iPlanet E-Commerce Solutions, including iPlanet Certificate Management System, iPlanet Web Server, iPlanet Directory Server, and iPlanet Messaging Server. NSS 3.1 provided, for the first time, a complete open-source implementation of the crypto libraries used to implement security features in these products, including a new implementation of the RSA algorithm. NSS 3.1.1 fixes several bugs in NSS 3.1, including a bug related to prime number generation that affects RSA key pair generation and other important operations. For more information on bugs fixed in NSS 3.1.1, see Bugs Fixed.

For more information on the effects of the RSA algorithm going into the public domain, see the Mozilla Crypto FAQ. For the NSS 3.1 release notes (including information on bugs fixed in NSS 3.1)see NSS 3.1 Release Notes.

The NSS libraries also underlie Personal Security Manager (PSM), which performs cryptographic operations on behalf of Netscape Communicator, Netscape 6, and other client applications.

If you are developing applications that support SSL, S/MIME, or other Internet security standards, you can now use NSS libraries to implement comparable security features in your own applications. NSS 3.1.1 also includes a framework to which developers and OEMs can contribute patches, such as assembler code, to optimize performance on their platforms.

NSS 3.1.1 is dual-licensed under the MPL and the GPL.


CVS Information

The CVS tag for the NSS 3.1.1 release is NSS_3_1_1_RTM.


Bugs Fixed

The most important bug fixed in this release is #59438, sometimes referred to as the "prime number generation bug." This bug in the freebl library of NSS 3.1 affects the following algorithms on all platforms:
  • Diffie-Hellman and DSA parameter generation: The parameter may not be a prime. Generation of Diffie-Hellman or DSA parameters is typically done only by a Certificate Authority (e.g. in iPlanet Certificate Management System), not in other client or server products.
  • RSA key pair generation: The keys may not contain the product of two primes. RSA key pair generation is done by all SSL servers, each time they are started up, to generate a "step down" key for use with export cipher suites. It is also done by all products that generate Certificate Signing Requests.
Note that this bug does not affect products using NSS 3.1 with RSA BSAFE Crypto-C or Netscape's internal libcrypto library. It also does not affect any present releases of Personal Security Manager from Netscape or iPlanet, since those have all used the libcrypto library. However, it affects other releases of Personal Security Manager that may have used the NSS 3.1 freebl library.

For a list of all bugs that have been fixed in the NSS 3.1.1 release, click here.


Documentation

For a list of the primary NSS documentation pages on mozilla.org, see NSS Documentation. New and revised documents available since the release of NSS 3.1 include the following:

Source may be viewed with a browser (via the LXR tool) at http://lxr.mozilla.org/mozilla/source/security/nss/


Changes Since NSS 3.1

NSS 3.1.1 is a patch release that fixes several bugs in NSS 3.1. It does not introduce any new functions or features.

For a list of changes introduced in NSS 3.1, see NSS 3.1 Release Notes.


Platform Information

NSS is maintained on the platforms listed below. "Certified" means the iPlanet NSS team has built and run QA tests for NSS on a machine with the specified OS.

Platform Build Certify Compiler(s)
AIX 4.3.3 (32 bit) 4.3.3 (32 bit)
4.3.3 (64 bit)
xlC/C++ 3.6.4
4.3.3 (64 bit) 4.3.3 (64 bit) xlC/C++ 3.6.4
Compaq Tru64 4.0D 4.0D 
5.0A
(cc) Digital C v5.6-071
HP-UX 11.0 (32 bit) 11.0 (32 bit)
11.0 (64 bit)
C compiler: A.11.01.00
11.0 (64 bit) 11.0 (64 bit) C compiler A.11.01.00
Linux RedHat 6.0 RedHat 6.0
RedHat 6.1
egcs-1.1.2
NT NT 4.0 w/ SP 6a NT 4.0 w/ SP 6a
Win2000
VC++ 6.0 Service Pack 3
Windows NT 4.0 w/ SP 6a
NT 4.0 w/ SP 6a
Win2000
VC++ 6.0 Service Pack 3
Solaris 2.6 2.6
8 (32 bit)
8 (64 bit)
WorkShop Compilers 
C/C++ version 4.2 
8 (64-bit) 8 (64-bit) WorkShop Compilers 
C/C++ version 5.0

Note to Macintosh Developers: Due to a lack of resources, our team was unable to develop NSS for the Macintosh platform. We are looking for help from any interested parties to modify the Macintosh project file for NSS 3.1.1. For contact information, please see the Feedback section.

NSS has not yet been formally tested or certified on any other platforms. If you have successfully run NSS on other platforms, or if you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to mozilla.dev.tech.crypto


Known Bugs and Issues

  • NSS 3.1.1 uses mozilla/dbm, which is based on Berkeley DB 1.85. Berkeley DB 1.85 is released under the original BSD license, whose "advertising clause" is incompatible with the GNU GPL.

    In a letter dated July 22, 1999, UC Berkeley announced that the advertising clause is deleted from all the BSD Unix files (of any version of BSD) containing it. (The announcement is available at ftp.cs.berkeley.edu/ucb/4bsd/README.Impt.License.Change.) The final (AT&T proprietary) 4.4BSD release contained version 1.6 of Berkeley DB. The 4.4BSD-Lite2 release contained version 1.74 of Berkeley DB. Since Berkeley DB 1.85 is not technically in any version of BSD (although it is derived from the Berkeley DB files in 4.4BSD and 4.4BSD-Lite2), it is not clear whether the Berkeley announcement deletes the advertising clause from Berkeley DB 1.85.

  • For a list of reported bugs that have not been fixed in NSS 3.1.1, click here. (Note that not all of these bugs have been confirmed. Even some bugs in the "new" state are unconfirmed.)


Compatibility

NSS 3.1.1 is backward compatible with NSS 3.1 and NSS 3.0.x.


Feedback

Bugs discovered should be reported by filing a bug report with bugzilla (product NSS).

You can also give feedback directly to the developers on the IRC channel #mozcrypto on the server irc.mozilla.org.