OLD | NEW |
1 Name: Network Security Services (NSS) | 1 Name: Network Security Services (NSS) |
2 URL: http://www.mozilla.org/projects/security/pki/nss/ | 2 URL: http://www.mozilla.org/projects/security/pki/nss/ |
| 3 Version: 3.13.3 |
| 4 Security Critical: Yes |
3 | 5 |
4 This directory includes a copy of NSS's libssl from the CVS repo at: | 6 This directory includes a copy of NSS's libssl from the CVS repo at: |
5 :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot | 7 :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot |
6 | 8 |
7 The snapshot was updated to the CVS tag: NSS_3_12_9_RTM | 9 The snapshot was updated to the CVS tag: NSS_3_13_3_RTM |
8 | 10 |
9 Patches: | 11 Patches: |
10 | 12 |
11 * Next protocol negotiation support. | |
12 patches/nextproto.patch | |
13 http://codereview.chromium.org/415005 | |
14 | |
15 * Commenting out a couple of functions because they need NSS symbols | 13 * Commenting out a couple of functions because they need NSS symbols |
16 which may not exist in the system NSS library. | 14 which may not exist in the system NSS library. |
17 patches/versionskew.patch | 15 patches/versionskew.patch |
18 | 16 |
19 * Send empty renegotiation info extension instead of SCSV unless TLS is | 17 * Send empty renegotiation info extension instead of SCSV unless TLS is |
20 disabled. | 18 disabled. |
21 patches/renegoscsv.patch | 19 patches/renegoscsv.patch |
22 https://bugzilla.mozilla.org/show_bug.cgi?id=549042 | 20 https://bugzilla.mozilla.org/show_bug.cgi?id=549042 |
23 | 21 |
24 * Cache the peer's intermediate CA certificates in session ID, so that | 22 * Cache the peer's intermediate CA certificates in session ID, so that |
25 they're available when we resume a session. Add certificates to | 23 they're available when we resume a session. |
26 ss->ssl3.peerCertChain in the right order. | |
27 patches/cachecerts.patch | 24 patches/cachecerts.patch |
28 https://bugzilla.mozilla.org/show_bug.cgi?id=606049 | 25 https://bugzilla.mozilla.org/show_bug.cgi?id=731478 |
29 | 26 |
30 * Add the SSL_PeerCertificateChain function | 27 * Add the SSL_PeerCertificateChain function |
31 patches/peercertchain.patch | 28 patches/peercertchain.patch |
| 29 https://bugzilla.mozilla.org/show_bug.cgi?id=731485 |
32 | 30 |
33 * Add OCSP stapling support | 31 * Add OCSP stapling support |
34 patches/ocspstapling.patch | 32 patches/ocspstapling.patch |
35 | 33 |
36 * Add support for client auth with native crypto APIs on Mac and Windows | 34 * Add support for client auth with native crypto APIs on Mac and Windows |
37 patches/clientauth.patch | 35 patches/clientauth.patch |
38 ssl/sslplatf.c | 36 ssl/sslplatf.c |
39 | 37 |
40 * Don't send a client certificate when renegotiating if the peer does not | |
41 request one. This only happened if the previous key exchange algorithm | |
42 was non-RSA. | |
43 patches/clientauth.patch | |
44 https://bugzilla.mozilla.org/show_bug.cgi?id=616757 | |
45 | |
46 * Add support for TLS cached info extension. | |
47 patches/cachedinfo.patch | |
48 https://bugzilla.mozilla.org/show_bug.cgi?id=665739 | |
49 | |
50 * Add a function to export whether the last handshake on a socket resumed a | 38 * Add a function to export whether the last handshake on a socket resumed a |
51 previous session. | 39 previous session. |
52 patches/didhandshakeresume.patch | 40 patches/didhandshakeresume.patch |
53 | 41 https://bugzilla.mozilla.org/show_bug.cgi?id=731798 |
54 * Start each set of CBC encrypted application data records, resulting from | |
55 a single call to ssl3_SendApplicationData, with a one-byte application | |
56 data record in order to randomize the IV in a backward compatible manner. | |
57 https://bugzilla.mozilla.org/show_bug.cgi?id=665814 | |
58 patches/cbcrandomiv.patch | |
59 | 42 |
60 * Support origin bound certificates. | 43 * Support origin bound certificates. |
61 http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.txt | 44 http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.txt |
62 patches/origin_bound_certs.patch | 45 patches/origin_bound_certs.patch |
63 | 46 |
64 * Add a function to implement RFC 5705: Keying Material Exporters for TLS | 47 * Add a function to implement RFC 5705: Keying Material Exporters for TLS |
65 This is a reworked version of the patch from | 48 This is a reworked version of the patch from |
66 https://bugzilla.mozilla.org/show_bug.cgi?id=507359 | 49 https://bugzilla.mozilla.org/show_bug.cgi?id=507359 |
67 patches/secret_exporter.patch | 50 patches/secret_exporter.patch |
68 | 51 |
69 * Send saved write data in the SSL socket in SSL_ForceHandshake. | |
70 patches/handshakeshortwrite.patch | |
71 https://bugzilla.mozilla.org/show_bug.cgi?id=676729 | |
72 | |
73 * Add a function to restart a handshake after a client certificate request. | 52 * Add a function to restart a handshake after a client certificate request. |
74 patches/restartclientauth.patch | 53 patches/restartclientauth.patch |
75 | 54 |
76 * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake | 55 * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake |
77 is finished. | 56 is finished. |
78 https://bugzilla.mozilla.org/show_bug.cgi?id=681839 | 57 https://bugzilla.mozilla.org/show_bug.cgi?id=681839 |
79 patches/negotiatedextension.patch | 58 patches/negotiatedextension.patch |
80 | 59 |
81 * Support the encrypted client certificates extension. | 60 * Support the encrypted client certificates extension. |
82 https://bugzilla.mozilla.org/show_bug.cgi?id=691991 | 61 https://bugzilla.mozilla.org/show_bug.cgi?id=691991 |
83 patches/encryptedclientcerts.patch | 62 patches/encryptedclientcerts.patch |
84 | 63 |
85 * Add function to retrieve TLS client cert types requested by server. | 64 * Add function to retrieve TLS client cert types requested by server. |
86 https://bugzilla.mozilla.org/show_bug.cgi?id=51413 | 65 https://bugzilla.mozilla.org/show_bug.cgi?id=51413 |
87 patches/getrequestedclientcerttypes.patch | 66 patches/getrequestedclientcerttypes.patch |
88 | 67 |
89 * Fixed a clang warning in sslcon.c. | 68 * Fixed a clang warning in sslcon.c. |
90 https://bugzilla.mozilla.org/show_bug.cgi?id=728919 | 69 https://bugzilla.mozilla.org/show_bug.cgi?id=728919 |
91 patches/clang-sslcon.patch | 70 patches/clang-sslcon.patch |
92 | 71 |
93 Apply the patches to NSS by running the patches/applypatches.sh script. Read | 72 Apply the patches to NSS by running the patches/applypatches.sh script. Read |
94 the comments at the top of patches/applypatches.sh for instructions. | 73 the comments at the top of patches/applypatches.sh for instructions. |
95 | 74 |
96 The ssl/bodge directory contains files taken from the NSS repo that we required | 75 The ssl/bodge directory contains files taken from the NSS repo that we required |
97 for building libssl outside of its usual build environment. | 76 for building libssl outside of its usual build environment. |
OLD | NEW |