1 Name: Network Security Services (NSS) 2 URL: http://www.mozilla.org/projects/security/pki/nss/ 3 Version: 3.15.1 4 Security Critical: Yes 5 License: MPL 2 6 License File: NOT_SHIPPED 7 8 This directory includes a copy of NSS's libssl from the hg repo at: 9 https://hg.mozilla.org/projects/nss 10 11 The same module appears in crypto/third_party/nss (and third_party/nss on some 12 platforms), so we don't repeat the license file here. 13 14 The snapshot was updated to the hg tag: NSS_3_15_1_RTM 15 16 Patches: 17 18 * Commenting out a couple of functions because they need NSS symbols 19 which may not exist in the system NSS library. 20 patches/versionskew.patch 21 22 * Send empty renegotiation info extension instead of SCSV unless TLS is 23 disabled. 24 patches/renegoscsv.patch 25 https://bugzilla.mozilla.org/show_bug.cgi?id=549042 26 27 * Cache the peer's intermediate CA certificates in session ID, so that 28 they're available when we resume a session. 29 patches/cachecerts.patch 30 https://bugzilla.mozilla.org/show_bug.cgi?id=731478 31 32 * Add the SSL_PeerCertificateChain function 33 patches/peercertchain.patch 34 https://bugzilla.mozilla.org/show_bug.cgi?id=731485 35 36 * Add support for client auth with native crypto APIs on Mac and Windows 37 patches/clientauth.patch 38 ssl/sslplatf.c 39 40 * Add a function to export whether the last handshake on a socket resumed a 41 previous session. 42 patches/didhandshakeresume.patch 43 https://bugzilla.mozilla.org/show_bug.cgi?id=731798 44 45 * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake 46 is finished. 47 https://bugzilla.mozilla.org/show_bug.cgi?id=681839 48 patches/negotiatedextension.patch 49 50 * Add function to retrieve TLS client cert types requested by server. 51 https://bugzilla.mozilla.org/show_bug.cgi?id=51413 52 patches/getrequestedclientcerttypes.patch 53 54 * Add a function to restart a handshake after a client certificate request. 55 patches/restartclientauth.patch 56 57 * Add support for TLS Channel IDs 58 patches/channelid.patch 59 60 * Add support for extracting the tls-unique channel binding value 61 patches/tlsunique.patch 62 https://bugzilla.mozilla.org/show_bug.cgi?id=563276 63 64 * Define the EC_POINT_FORM_UNCOMPRESSED macro. In NSS 3.13.2 the macro 65 definition was moved from the internal header ec.h to blapit.h. When 66 compiling against older system NSS headers, we need to define the macro. 67 patches/ecpointform.patch 68 69 * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock. 70 This change was made in https://chromiumcodereview.appspot.com/10454066. 71 patches/secretexporterlocks.patch 72 73 * Allow the constant-time CBC processing code to be compiled against older 74 NSS that doesn't contain the CBC constant-time changes. 75 patches/cbc.patch 76 https://code.google.com/p/chromium/issues/detail?id=172658#c12 77 78 * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS 79 versions older than 3.15 report an EC key size range of 112 bits to 571 80 bits, even when it is compiled to support only the NIST P-256, P-384, and 81 P-521 curves. Remove this patch when all system NSS softoken packages are 82 NSS 3.15 or later. 83 patches/suitebonly.patch 84 85 * Define the SECItemArray type and declare the SECItemArray handling 86 functions, which were added in NSS 3.15. Remove this patch when all system 87 NSS packages are NSS 3.15 or later. 88 patches/secitemarray.patch 89 90 * Update Chromium-specific code for TLS 1.2. 91 patches/tls12chromium.patch 92 93 * Add the Application Layer Protocol Negotiation extension. 94 patches/alpn.patch 95 96 * Fix an issue with allocating an SSL socket when under memory pressure. 97 https://bugzilla.mozilla.org/show_bug.cgi?id=903565 98 patches/sslsock_903565.patch 99 100 * Prefer to generate SHA-1 signatures for TLS 1.2 client authentication if 101 the client private key is in a CAPI service provider on Windows or if the 102 client private key is a 1024-bit RSA or DSA key. 103 patches/tls12backuphash.patch 104 105 Apply the patches to NSS by running the patches/applypatches.sh script. Read 106 the comments at the top of patches/applypatches.sh for instructions. 107 108 The ssl/bodge directory contains files taken from the NSS repo that we required 109 for building libssl outside of its usual build environment. 110