Home | History | Annotate | Download | only in nss
      1 Name: Network Security Services (NSS)
      2 URL: http://www.mozilla.org/projects/security/pki/nss/
      3 Version: 3.15.5 Beta 2
      4 Security Critical: Yes
      5 License: MPL 2
      6 License File: NOT_SHIPPED
      7 
      8 This directory includes a copy of NSS's libssl from the hg repo at:
      9   https://hg.mozilla.org/projects/nss
     10 
     11 The same module appears in crypto/third_party/nss (and third_party/nss on some
     12 platforms), so we don't repeat the license file here.
     13 
     14 The snapshot was updated to the hg tag: NSS_3_15_5_BETA2
     15 
     16 Patches:
     17 
     18   * Cache the peer's intermediate CA certificates in session ID, so that
     19     they're available when we resume a session.
     20     patches/cachecerts.patch
     21     https://bugzilla.mozilla.org/show_bug.cgi?id=731478
     22 
     23   * Add support for client auth with native crypto APIs on Mac and Windows.
     24     patches/clientauth.patch
     25     ssl/sslplatf.c
     26 
     27   * Add a function to export whether the last handshake on a socket resumed a
     28     previous session.
     29     patches/didhandshakeresume.patch
     30     https://bugzilla.mozilla.org/show_bug.cgi?id=731798
     31 
     32   * Add function to retrieve TLS client cert types requested by server.
     33     https://bugzilla.mozilla.org/show_bug.cgi?id=51413
     34     patches/getrequestedclientcerttypes.patch
     35 
     36   * Add a function to restart a handshake after a client certificate request.
     37     patches/restartclientauth.patch
     38 
     39   * Add support for TLS Channel IDs
     40     patches/channelid.patch
     41 
     42   * Add support for extracting the tls-unique channel binding value
     43     patches/tlsunique.patch
     44     https://bugzilla.mozilla.org/show_bug.cgi?id=563276
     45 
     46   * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock.
     47     This change was made in https://chromiumcodereview.appspot.com/10454066.
     48     patches/secretexporterlocks.patch
     49 
     50   * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS
     51     versions older than 3.15 report an EC key size range of 112 bits to 571
     52     bits, even when it is compiled to support only the NIST P-256, P-384, and
     53     P-521 curves. Remove this patch when all system NSS softoken packages are
     54     NSS 3.15 or later.
     55     patches/suitebonly.patch
     56 
     57   * Define the SECItemArray type and declare the SECItemArray handling
     58     functions, which were added in NSS 3.15. Remove this patch when all system
     59     NSS packages are NSS 3.15 or later.
     60     patches/secitemarray.patch
     61 
     62   * Update Chromium-specific code for TLS 1.2.
     63     patches/tls12chromium.patch
     64 
     65   * Add Chromium-specific code to detect AES GCM support in the system NSS
     66     libraries at run time. Remove this patch when all system NSS packages are
     67     NSS 3.15 or later.
     68     patches/aesgcmchromium.patch
     69 
     70   * Support ChaCha20+Poly1305 ciphersuites
     71     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01
     72     patches/chacha20poly1305.patch
     73 
     74   * Fix session cache lock creation race.
     75     patches/cachelocks.patch
     76     https://bugzilla.mozilla.org/show_bug.cgi?id=764646
     77 
     78   * Support the Certificate Transparency (RFC 6962) TLS extension
     79     signed_certificate_timestamp (client only).
     80     patches/signedcertificatetimestamps.patch
     81     https://bugzilla.mozilla.org/show_bug.cgi?id=944175
     82 
     83   * Add a function to allow the cipher suites preference order to be set.
     84     patches/cipherorder.patch
     85 
     86   * Add TLS_FALLBACK_SCSV cipher suite to version fallback connections.
     87     patches/fallbackscsv.patch
     88 
     89   * Add explicit functions for managing the SSL/TLS session cache.
     90     This is a temporary workaround until Chromium migrates to NSS's
     91     asynchronous certificate verification.
     92     patches/sessioncache.patch
     93 
     94   * Use NSSRWLock instead of PRRWLock in sslSessionID. This avoids the bugs
     95     in the lock rank checking code in PRRWLock.
     96     patches/nssrwlock.patch
     97     https://bugzilla.mozilla.org/show_bug.cgi?id=957812
     98 
     99   * Use the IANA-assigned value for the TLS padding extension.
    100     patches/paddingextvalue.patch
    101     https://bugzilla.mozilla.org/show_bug.cgi?id=994883
    102 
    103   * Move the signature_algorithms extension to the end of the extension list.
    104     This works around a bug in WebSphere Application Server 7.0 which is
    105     intolerant to the final extension having zero length.
    106     patches/reorderextensions.patch
    107 
    108   * Ignore out-of-order DTLS ChangeCipherSpec.
    109     patches/ignorechangecipherspec.patch
    110     https://bugzilla.mozilla.org/show_bug.cgi?id=1009227
    111 
    112 Apply the patches to NSS by running the patches/applypatches.sh script.  Read
    113 the comments at the top of patches/applypatches.sh for instructions.
    114 
    115 The ssl/bodge directory contains files taken from the NSS repo that we required
    116 for building libssl outside of its usual build environment.
    117