| Up to higher level directory | |||
| Name | Date | Size | |
|---|---|---|---|
| LICENSE | 20-Jun-2014 | 1.7K | |
| patches/ | 20-Jun-2014 | ||
| README.chromium | 20-Jun-2014 | 6.9K | |
| ssl/ | 20-Jun-2014 | ||
| ssl.gyp | 20-Jun-2014 | 5.2K | |
README.chromium
1 Name: Network Security Services (NSS) 2 URL: http://www.mozilla.org/projects/security/pki/nss/ 3 Version: 3.15.1 4 Security Critical: Yes 5 License: MPL 2 6 License File: NOT_SHIPPED 7 8 This directory includes a copy of NSS's libssl from the hg repo at: 9 https://hg.mozilla.org/projects/nss 10 11 The same module appears in crypto/third_party/nss (and third_party/nss on some 12 platforms), so we don't repeat the license file here. 13 14 The snapshot was updated to the hg tag: NSS_3_15_1_RTM 15 16 Patches: 17 18 * Commenting out a couple of functions because they need NSS symbols 19 which may not exist in the system NSS library. 20 patches/versionskew.patch 21 22 * Send empty renegotiation info extension instead of SCSV unless TLS is 23 disabled. 24 patches/renegoscsv.patch 25 https://bugzilla.mozilla.org/show_bug.cgi?id=549042 26 27 * Cache the peer's intermediate CA certificates in session ID, so that 28 they're available when we resume a session. 29 patches/cachecerts.patch 30 https://bugzilla.mozilla.org/show_bug.cgi?id=731478 31 32 * Add the SSL_PeerCertificateChain function 33 patches/peercertchain.patch 34 patches/peercertchain2.patch 35 https://bugzilla.mozilla.org/show_bug.cgi?id=731485 36 37 * Add support for client auth with native crypto APIs on Mac and Windows 38 patches/clientauth.patch 39 ssl/sslplatf.c 40 41 * Add a function to export whether the last handshake on a socket resumed a 42 previous session. 43 patches/didhandshakeresume.patch 44 https://bugzilla.mozilla.org/show_bug.cgi?id=731798 45 46 * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake 47 is finished. 48 https://bugzilla.mozilla.org/show_bug.cgi?id=681839 49 patches/negotiatedextension.patch 50 51 * Add function to retrieve TLS client cert types requested by server. 52 https://bugzilla.mozilla.org/show_bug.cgi?id=51413 53 patches/getrequestedclientcerttypes.patch 54 55 * Add a function to restart a handshake after a client certificate request. 56 patches/restartclientauth.patch 57 58 * Add support for TLS Channel IDs 59 patches/channelid.patch 60 patches/channelid2.patch 61 62 * Add support for extracting the tls-unique channel binding value 63 patches/tlsunique.patch 64 https://bugzilla.mozilla.org/show_bug.cgi?id=563276 65 66 * Define the EC_POINT_FORM_UNCOMPRESSED macro. In NSS 3.13.2 the macro 67 definition was moved from the internal header ec.h to blapit.h. When 68 compiling against older system NSS headers, we need to define the macro. 69 patches/ecpointform.patch 70 71 * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock. 72 This change was made in https://chromiumcodereview.appspot.com/10454066. 73 patches/secretexporterlocks.patch 74 75 * Allow the constant-time CBC processing code to be compiled against older 76 NSS that doesn't contain the CBC constant-time changes. 77 patches/cbc.patch 78 https://code.google.com/p/chromium/issues/detail?id=172658#c12 79 TODO(wtc): remove this patch now that NSS 3.14.3 is the minimum 80 compile-time and run-time version. 81 82 * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS 83 versions older than 3.15 report an EC key size range of 112 bits to 571 84 bits, even when it is compiled to support only the NIST P-256, P-384, and 85 P-521 curves. Remove this patch when all system NSS softoken packages are 86 NSS 3.15 or later. 87 patches/suitebonly.patch 88 89 * Define the SECItemArray type and declare the SECItemArray handling 90 functions, which were added in NSS 3.15. Remove this patch when all system 91 NSS packages are NSS 3.15 or later. 92 patches/secitemarray.patch 93 94 * Update Chromium-specific code for TLS 1.2. 95 patches/tls12chromium.patch 96 97 * Add the Application Layer Protocol Negotiation extension. 98 patches/alpn.patch 99 100 * Fix an issue with allocating an SSL socket when under memory pressure. 101 https://bugzilla.mozilla.org/show_bug.cgi?id=903565 102 patches/sslsock_903565.patch 103 104 * Implement the AES GCM cipher suites. 105 https://bugzilla.mozilla.org/show_bug.cgi?id=880543 106 patches/aesgcm.patch 107 108 * Add Chromium-specific code to detect AES GCM support in the system NSS 109 libraries at run time. 110 patches/aesgcmchromium.patch 111 112 * Support generating SHA-1 signatures for TLS 1.2 client authentication. Use 113 SHA-1 instead of SHA-256 if the server's preferences do not allow for 114 SHA-256 or if the client private key may only support SHA-1 signatures. The 115 latter happens when the key is in a CAPI service provider on Windows or if 116 it is a 1024-bit RSA or DSA key. 117 patches/tls12backuphash.patch 118 patches/tls12backuphash2.patch 119 120 * Support ChaCha20+Poly1305 ciphersuites 121 http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01 122 patches/chacha20poly1305.patch 123 124 * Fix session cache lock creation race. 125 patches/cachelocks.patch 126 https://bugzilla.mozilla.org/show_bug.cgi?id=764646 127 128 * Don't advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello. 129 https://bugzilla.mozilla.org/show_bug.cgi?id=919677 130 patches/ciphersuiteversion.patch 131 132 * Don't use record versions greater than 0x0301 in resumption ClientHello 133 records either. 134 https://bugzilla.mozilla.org/show_bug.cgi?id=923696 135 https://code.google.com/p/chromium/issues/detail?id=303398 136 patches/resumeclienthelloversion.patch 137 138 * Make SSL False Start work with asynchronous certificate validation. 139 https://bugzilla.mozilla.org/show_bug.cgi?id=713933 140 patches/canfalsestart.patch 141 142 * Have the Null Cipher limit output to the maximum allowed 143 https://bugzilla.mozilla.org/show_bug.cgi?id=934016 144 patches/nullcipher_934016.patch 145 146 * In the case that a ClientHello record is between 256 and 511 bytes long, 147 add an extension to make it 512 bytes. This works around a bug in F5 148 terminators. 149 patches/paddingextension.patch 150 patches/paddingextensionall.patch 151 152 * Support the Certificate Transparency (RFC 6962) TLS extension 153 signed_certificate_timestamp (client only). 154 patches/signedcertificatetimestamps.patch 155 156 * Add a function to allow the cipher suites preference order to be set. 157 patches/cipherorder.patch 158 159 * Add TLS_FALLBACK_SCSV cipher suite to version fallback connections. 160 patches/fallbackscsv.patch 161 162 * Disable session ticket renewal. 163 https://bugzilla.mozilla.org/show_bug.cgi?id=930857 164 patches/disableticketrenewal.patch 165 166 * Add explicit functions for managing the SSL/TLS session cache. 167 This is a temporary workaround until Chromium migrates to NSS's 168 asynchronous certificate verification. 169 patches/sessioncache.patch 170 171 * Remove static storage qualifier from variables in sslnonce.c. Due to 172 a clang codegen bug on Mac, this caused an infinite loop. 173 https://code.google.com/p/chromium/issues/detail?id=326011 174 patches/sslnoncestatics.patch 175 176 Apply the patches to NSS by running the patches/applypatches.sh script. Read 177 the comments at the top of patches/applypatches.sh for instructions. 178 179 The ssl/bodge directory contains files taken from the NSS repo that we required 180 for building libssl outside of its usual build environment. 181
