OLD | NEW |
1 Name: Network Security Services (NSS) | 1 Name: Network Security Services (NSS) |
2 URL: http://www.mozilla.org/projects/security/pki/nss/ | 2 URL: http://www.mozilla.org/projects/security/pki/nss/ |
3 Version: 3.21 RTM | 3 Version: 3.23 RTM |
4 Security Critical: Yes | 4 Security Critical: Yes |
5 License: MPL 2 | 5 License: MPL 2 |
6 License File: NOT_SHIPPED | 6 License File: NOT_SHIPPED |
7 | 7 |
8 This directory includes a copy of NSS's libssl from the hg repo at: | 8 This directory includes a copy of NSS's libssl from the hg repo at: |
9 https://hg.mozilla.org/projects/nss | 9 https://hg.mozilla.org/projects/nss |
10 | 10 |
11 The same module appears in crypto/third_party/nss (and third_party/nss on some | 11 The same module appears in crypto/third_party/nss (and third_party/nss on some |
12 platforms), so we don't repeat the license file here. | 12 platforms), so we don't repeat the license file here. |
13 | 13 |
14 The snapshot was updated to the hg tag: NSS_3_21_RTM | 14 The snapshot was updated to the hg tag: NSS_3_23_RTM |
15 | 15 |
16 Patches: | 16 Patches: |
17 | 17 |
18 * Cache the peer's intermediate CA certificates in session ID, so that | 18 * Cache the peer's intermediate CA certificates in session ID, so that |
19 they're available when we resume a session. | 19 they're available when we resume a session. |
20 patches/cachecerts.patch | 20 patches/cachecerts.patch |
21 https://bugzilla.mozilla.org/show_bug.cgi?id=731478 | 21 https://bugzilla.mozilla.org/show_bug.cgi?id=731478 |
22 | 22 |
23 * Add support for client auth with native crypto APIs on Mac and Windows. | |
24 patches/clientauth.patch | |
25 ssl/sslplatf.c | |
26 | |
27 * Add a function to export whether the last handshake on a socket resumed a | 23 * Add a function to export whether the last handshake on a socket resumed a |
28 previous session. | 24 previous session. |
29 patches/didhandshakeresume.patch | 25 patches/didhandshakeresume.patch |
30 https://bugzilla.mozilla.org/show_bug.cgi?id=731798 | 26 https://bugzilla.mozilla.org/show_bug.cgi?id=731798 |
31 | 27 |
32 * Add function to retrieve TLS client cert types requested by server. | 28 * Add function to retrieve TLS client cert types requested by server. |
33 https://bugzilla.mozilla.org/show_bug.cgi?id=51413 | 29 https://bugzilla.mozilla.org/show_bug.cgi?id=51413 |
34 patches/getrequestedclientcerttypes.patch | 30 patches/getrequestedclientcerttypes.patch |
35 | 31 |
36 * Add a function to restart a handshake after a client certificate request. | 32 * Add a function to restart a handshake after a client certificate request. |
37 patches/restartclientauth.patch | 33 patches/restartclientauth.patch |
38 | 34 |
39 * Add support for TLS Channel IDs | 35 * Add support for TLS Channel IDs |
40 patches/channelid.patch | 36 patches/channelid.patch |
41 | 37 |
42 * Add support for extracting the tls-unique channel binding value | 38 * Add support for extracting the tls-unique channel binding value |
43 patches/tlsunique.patch | 39 patches/tlsunique.patch |
44 https://bugzilla.mozilla.org/show_bug.cgi?id=563276 | 40 https://bugzilla.mozilla.org/show_bug.cgi?id=563276 |
45 | 41 |
46 * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock. | 42 * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock. |
47 This change was made in https://chromiumcodereview.appspot.com/10454066. | 43 This change was made in https://chromiumcodereview.appspot.com/10454066. |
48 patches/secretexporterlocks.patch | 44 patches/secretexporterlocks.patch |
49 | 45 |
50 * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS | |
51 versions older than 3.15 report an EC key size range of 112 bits to 571 | |
52 bits, even when it is compiled to support only the NIST P-256, P-384, and | |
53 P-521 curves. Remove this patch when all system NSS softoken packages are | |
54 NSS 3.15 or later. | |
55 patches/suitebonly.patch | |
56 | |
57 * Define the SECItemArray type and declare the SECItemArray handling | |
58 functions, which were added in NSS 3.15. Remove this patch when all system | |
59 NSS packages are NSS 3.15 or later. | |
60 patches/secitemarray.patch | |
61 | |
62 * Update Chromium-specific code for TLS 1.2. | |
63 patches/tls12chromium.patch | |
64 | |
65 * Add Chromium-specific code to detect AES GCM support in the system NSS | |
66 libraries at run time. Remove this patch when all system NSS packages are | |
67 NSS 3.15 or later. | |
68 patches/aesgcmchromium.patch | |
69 | |
70 * Support ChaCha20+Poly1305 ciphersuites | |
71 http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01 | |
72 patches/chacha20poly1305.patch | |
73 | |
74 * Fix session cache lock creation race. | 46 * Fix session cache lock creation race. |
75 patches/cachelocks.patch | 47 patches/cachelocks.patch |
76 https://bugzilla.mozilla.org/show_bug.cgi?id=764646 | 48 https://bugzilla.mozilla.org/show_bug.cgi?id=764646 |
77 | 49 |
78 * Support the Certificate Transparency (RFC 6962) TLS extension | |
79 signed_certificate_timestamp (client only). | |
80 patches/signedcertificatetimestamps.patch | |
81 https://bugzilla.mozilla.org/show_bug.cgi?id=944175 | |
82 | |
83 * Add a function to allow the cipher suites preference order to be set. | 50 * Add a function to allow the cipher suites preference order to be set. |
84 patches/cipherorder.patch | 51 patches/cipherorder.patch |
85 | 52 |
86 * Add explicit functions for managing the SSL/TLS session cache. | 53 * Add explicit functions for managing the SSL/TLS session cache. |
87 This is a temporary workaround until Chromium migrates to NSS's | 54 This is a temporary workaround until Chromium migrates to NSS's |
88 asynchronous certificate verification. | 55 asynchronous certificate verification. |
89 patches/sessioncache.patch | 56 patches/sessioncache.patch |
90 | 57 |
91 * Use NSSRWLock instead of PRRWLock in sslSessionID. This avoids the bugs | |
92 in the lock rank checking code in PRRWLock. | |
93 patches/nssrwlock.patch | |
94 https://bugzilla.mozilla.org/show_bug.cgi?id=957812 | |
95 | |
96 * Add a comment explaining why signature_algorithms extension should be at | 58 * Add a comment explaining why signature_algorithms extension should be at |
97 the end of the extension list. This works around a bug in WebSphere | 59 the end of the extension list. This works around a bug in WebSphere |
98 Application Server 7.0, which is intolerant to the final extension having | 60 Application Server 7.0, which is intolerant to the final extension having |
99 zero length. This also ensures that the padding extension has non-zero | 61 zero length. This also ensures that the padding extension has non-zero |
100 length. | 62 length. |
101 patches/reorderextensions.patch | 63 patches/reorderextensions.patch |
102 | 64 |
| 65 * Fix an unused method when disabling PKCS#11 bypass mode |
| 66 patches/nobypass.patch |
| 67 |
103 Apply the patches to NSS by running the patches/applypatches.sh script. Read | 68 Apply the patches to NSS by running the patches/applypatches.sh script. Read |
104 the comments at the top of patches/applypatches.sh for instructions. | 69 the comments at the top of patches/applypatches.sh for instructions. |
105 | 70 |
106 The ssl/bodge directory contains files taken from the NSS repo that we required | |
107 for building libssl outside of its usual build environment. | |
OLD | NEW |