NSS 3.1.1 Release Notes
5 December 2000
- CVS Information
- Bugs Fixed
- Changes Since NSS 3.1
Known Bugs and Issues
Introduction Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. These libraries provide the security foundation for a variety of server products from iPlanet E-Commerce Solutions, including iPlanet Certificate Management System, iPlanet Web Server, iPlanet Directory Server, and iPlanet Messaging Server. NSS 3.1 provided, for the first time, a complete open-source implementation of the crypto libraries used to implement security features in these products, including a new implementation of the RSA algorithm. NSS 3.1.1 fixes several bugs in NSS 3.1, including a bug related to prime number generation that affects RSA key pair generation and other important operations. For more information on bugs fixed in NSS 3.1.1, see Bugs Fixed.
For more information on the effects of the RSA algorithm going into the public domain, see the Mozilla Crypto FAQ. For the NSS 3.1 release notes (including information on bugs fixed in NSS 3.1)see NSS 3.1 Release Notes.
The NSS libraries also underlie Personal Security Manager (PSM), which performs cryptographic operations on behalf of Netscape Communicator, Netscape 6, and other client applications.
If you are developing applications that support SSL, S/MIME, or other Internet security standards, you can now use NSS libraries to implement comparable security features in your own applications. NSS 3.1.1 also includes a framework to which developers and OEMs can contribute patches, such as assembler code, to optimize performance on their platforms.
NSS 3.1.1 is dual-licensed under the MPL and the GPL.
CVS InformationThe CVS tag for the NSS 3.1.1 release is NSS_3_1_1_RTM.
Bugs FixedThe most important bug fixed in this release is #59438, sometimes referred to as the "prime number generation bug." This bug in the freebl library of NSS 3.1 affects the following algorithms on all platforms:
- Diffie-Hellman and DSA parameter generation: The parameter may not be a prime. Generation of Diffie-Hellman or DSA parameters is typically done only by a Certificate Authority (e.g. in iPlanet Certificate Management System), not in other client or server products.
- RSA key pair generation: The keys may not contain the product of two primes. RSA key pair generation is done by all SSL servers, each time they are started up, to generate a "step down" key for use with export cipher suites. It is also done by all products that generate Certificate Signing Requests.
For a list of all bugs that have been fixed in the NSS 3.1.1 release, click here.
DocumentationFor a list of the primary NSS documentation pages on mozilla.org, see NSS Documentation. New and revised documents available since the release of NSS 3.1 include the following:
- Build Instructions for NSS have been updated to reflect the new NSS 3.1.1 CVS tag.
- NSS Test Suite describes how to run the standard NSS tests.
- NSS Contributors lists major contributors to the NSS project.
- Encryption Technologies Available in Netscape 6.x, Personal Security Manager, and the iPlanet Servers lists the cryptographic algorithms used by products built on top of NSS.
- NSS 3.1 Loadable Root Certificates. Describes the scheme introduced in NSS 3.1 for loading root CA certificates.
Source may be viewed with a browser (via the LXR tool) at http://lxr.mozilla.org/mozilla/source/security/nss/
Changes Since NSS 3.1NSS 3.1.1 is a patch release that fixes several bugs in NSS 3.1. It does not introduce any new functions or features.
For a list of changes introduced in NSS 3.1, see NSS 3.1 Release Notes.
Platform InformationNSS is maintained on the platforms listed below. "Certified" means the iPlanet NSS team has built and run QA tests for NSS on a machine with the specified OS.
|AIX||4.3.3 (32 bit)||4.3.3 (32 bit)
4.3.3 (64 bit)
|4.3.3 (64 bit)||4.3.3 (64 bit)||xlC/C++ 3.6.4|
|(cc) Digital C v5.6-071|
|HP-UX||11.0 (32 bit)||11.0 (32 bit)
11.0 (64 bit)
|C compiler: A.11.01.00|
|11.0 (64 bit)||11.0 (64 bit)||C compiler A.11.01.00|
|Linux||RedHat 6.0||RedHat 6.0
|NT||NT 4.0 w/ SP 6a||NT 4.0 w/ SP 6a
|VC++ 6.0 Service Pack 3|
|Windows||NT 4.0 w/ SP 6a||
NT 4.0 w/ SP 6a
|VC++ 6.0 Service Pack 3|
8 (32 bit)
8 (64 bit)
C/C++ version 4.2
|8 (64-bit)||8 (64-bit)||WorkShop Compilers
C/C++ version 5.0
Note to Macintosh Developers: Due to a lack of resources, our team was unable to develop NSS for the Macintosh platform. We are looking for help from any interested parties to modify the Macintosh project file for NSS 3.1.1. For contact information, please see the Feedback section.
NSS has not yet been formally tested or certified on any other platforms. If you have successfully run NSS on other platforms, or if you are interested in taking responsibility for testing and maintaining NSS on a particular platform that's not listed above, post a message to mozilla.dev.tech.crypto
Known Bugs and Issues
- NSS 3.1.1 uses mozilla/dbm, which is based on Berkeley DB 1.85.
Berkeley DB 1.85 is released under the original BSD license, whose "advertising clause" is incompatible with the GNU GPL.
In a letter dated July 22, 1999, UC Berkeley announced that the advertising clause is deleted from all the BSD Unix files (of any version of BSD) containing it. (The announcement is available at ftp.cs.berkeley.edu/ucb/4bsd/README.Impt.License.Change.) The final (AT&T proprietary) 4.4BSD release contained version 1.6 of Berkeley DB. The 4.4BSD-Lite2 release contained version 1.74 of Berkeley DB. Since Berkeley DB 1.85 is not technically in any version of BSD (although it is derived from the Berkeley DB files in 4.4BSD and 4.4BSD-Lite2), it is not clear whether the Berkeley announcement deletes the advertising clause from Berkeley DB 1.85.
- For a list of reported bugs that have not been fixed in NSS 3.1.1, click here. (Note that not all of these bugs have been confirmed. Even some bugs in the "new" state are unconfirmed.)
CompatibilityNSS 3.1.1 is backward compatible with NSS 3.1 and NSS 3.0.x.
FeedbackBugs discovered should be reported by filing a bug report with bugzilla (product NSS).
You can also give feedback directly to the developers on the IRC channel #mozcrypto on the server irc.mozilla.org.