Nss Slot Hilesi 2019
Introduction
The NSS team has released Network Security Services (NSS) 3.45 on 5 July 2019, which is a minor release.
The NSS team would like to recognize first-time contributors:
From 2019 the US National Stationery Show and Surtex will move from their traditional May slot to run alongside NY Now in February. Show organisers Emerald Expositions have announced the NSS, and surface pattern, art and design show Surtex, which for years have run concurrently at the Javits Center in New York in mid May, will move to a new. The 2019 IEEE Nuclear Science Symposium, Medical Imaging Conference and 26th Symposium on Room-Temperature Semiconductor Detectors will take place at the Manchester Central Convention Complex in Manchester, United Kingdom, from 27 October to 2 November 2019. Until now NSS applications haven't benefit from it as NSS uses a different configuration mechanism which requires users to register PKCS#11 modules in NSS databases. This change makes the manual procedure unnecessary, by registering the p11-kit-proxy module (the aggregator of the system PKCS#11 modules) in NSS databases with the default.
- Bastien Abadie
- Christopher Patton
- Jeremie Courreges-Anglas
- Marcus Burghardt
- Michael Shigorin
- Tomas Mraz
Distribution Information
The HG tag is NSS_3_45_RTM. NSS 3.45 requires NSPR 4.21 or newer.
NSS 3.45 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_45_RTM/src/
Other releases are available in NSS Releases.
New in NSS 3.45
New Functionality
New Functions
- in pk11pub.h:
- PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets
*results
to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and*results
will be NULL.
- PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets
Notable Changes in NSS 3.45
- Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
- This adds a new experimental function: SSL_DelegateCredential
- Note: In 3.45,
selfserv
does not yet support delegated credentials. See Bug 1548360. - Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set
SSLChannelInfo.authKeyBits
to that of the delegated credential for better policy enforcement. See Bug 1563078.
- Bug 1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto
- Bug 1551129 - Support static linking on Windows
- Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot
- Bug 1546229 - Add IPSEC IKE support to softoken
- Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
- Bug 1543874 - Expose an external clock for SSL
- This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext.
- The experimental function SSL_InitAntiReplay is removed.
- Bug 1546477 - Various changes in response to the ongoing FIPS review
- Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
Certificate Authority Changes
- The following CA certificates were Removed:
- Bug 1552374 - CN = Certinomis - Root CA
- SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
- Bug 1552374 - CN = Certinomis - Root CA
Bugs fixed in NSS 3.45
- Bug 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719)
- Bug 1515342 - More thorough input checking (CVE-2019-11729)
- Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727)
- Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis)
- Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis)
- Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
- Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might have copied the unit test code verbatim
- Bug 1550022 - Ensure nssutil3 gets built on Android
- Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on failure
- Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns error
- Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
- Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors using NSS
- Bug 1553443 - Send session ticket only after handshake is marked as finished
- Bug 1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so builds
- Bug 1554336 - Optimize away unneeded loop in mpi.c
- Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
- Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
- Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
- Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
- Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
- Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
- Bug 1561523 - Add a string for the new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
This Bugzilla query returns all the bugs fixed in NSS 3.45:
Compatibility
NSS 3.45 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.45 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Feedback
Bugs discovered should be reported by filing a bug report with bugzilla.mozilla.org (product NSS).
- 1NSS load p11-kit modules by default
Summary
When NSS database is created, PKCS#11 modules configured in the system's p11-kit will be automatically registered and visible to NSS applications.
Owner
- Name: Daiki Ueno
- Email: dueno@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 29
- Last updated: 2019-08-29
- Tracker bug: #1592206
- Release Notes tracking: #184
Detailed Description
Fedora provides a mechanism to configure PKCS#11 modules system wide, allowing the crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a consistent manner. Until now NSS applications haven't benefit from it as NSS uses a different configuration mechanism which requires users to register PKCS#11 modules in NSS databases. This change makes the manual procedure unnecessary, by registering the p11-kit-proxy module (the aggregator of the system PKCS#11 modules) in NSS databases with the default configuration.
See also:
Benefit to Fedora
This change allows NSS applications to use PKCS#11 modules in the same way as other crypto libraries, bringing consistency in PKCS#11 driver registration across the OS. That improves user experience of smartcards and HSMs on Fedora.
Scope
- Proposal owners:
- Enable p11-kit-proxy in the newly created NSS database, through the crypto-policies package.
- Modify the opensc package not to register itself to the NSS database upon installation.
- Other developers:
- Make sure that this change doesn't cause any regression with the existing applications.
- Release engineering: #7548
- List of deliverables: N/A
- Policies and guidelines: PackageMaintainers/PKCS11 needs changes basically to eliminate NSS specific stuff
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
Uncommon/undocumented scenarios may be affected, in particular if the user previously used a configuration which conflicts with this change. In addition to that, support for the third party / proprietary PKCS#11 modules is out of scope of this proposal. That is, if the user had previously installed a p11-kit configuration file for such modules, it could stop working. Even then, she can remove the configuration file and manually register the module through the application (e.g., Firefox's preferences).
How To Test
- Install a PKCS#11 module, say softhsm or opensc. These modules should be ready to use after installing the packages with DNF. To use them as HSM you need to initialize a token with softhsm2-util or attach a hardware device supported by OpenSC, such as Nitrokey (see the wiki for details).
- Start Firefox and check if the module is listed in Preferences -> Privacy & Security -> Security Devices...
- Create an NSS database: certutil -d sql:nssdb -N --empty-password
- List modules registered to the NSS database: modutil -dbdir sql:nssdb -list
- Check that the output includes the PKCS#11 module installed on the step 1:
User Experience
Nss Slot Hilesi 2019 Indir
The users of NSS applications (e.g. firefox and sssd) would be able to use supported smartcards and HSMs without further configuration.
Dependencies
firefox, and possibly sssd's smartcard support
Nss Slot Hilesi 2019 Lol
Contingency Plan
- Contingency mechanism: Revert the change in nss, p11-kit, or crypto-policies
- Contingency deadline: Beta freeze
- Blocks release? No
- Blocks product? No
Documentation
Nss Slot Hilesi 2019 Download
No new documentation needed, but the existing documentation should be modified to remove the special cases of NSS.
Nss Slot Hilesi 2019 Pc
Release Notes
It should be sufficient to have a simple sentence mentioning this change and how to opt-out from it.
- Release Notes tracking: #184