The NSS team has released Network Security Services (NSS) 3.39, which is a minor release.
Notable bug fixes: * Bug 1483128 - NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) New functionality: * The tstclnt and selfserv utilities added support for configuring the enabled TLS signature schemes using the -J parameter. * NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by default but can be enabled using SSL_SignatureSchemePrefSet(). * certutil added the ability to delete an orphan private key from an NSS key database. * Added the nss-policy-check utility, which can be used to check an NSS policy configuration for problems. * A PKCS#11 URI can be used as an identifier for a PKCS#11 token. Notable changes: * The TLS 1.3 implementation uses the final version number from RFC 8446. * Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature where the DigestInfo structure was missing the NULL parameter. Starting with version 3.39, NSS requires the encoding to contain the NULL parameter. * The tstclnt and selfserv test utilities no longer accept the -z parameter, as support for TLS compression was removed in a previous NSS version. * The CA certificates list was updated to version 2.26. * The following CA certificates were Added: - OU = GlobalSign Root CA - R6 - CN = OISTE WISeKey Global Root GC CA The following CA certificate was Removed: - CN = ComSign The following CA certificates had the Websites trust bit disabled: - CN = Certplus Root CA G1 - CN = Certplus Root CA G2 - CN = OpenTrust Root CA G1 - CN = OpenTrust Root CA G2 - CN = OpenTrust Root CA G3 Please refer to the release notes for the complete list of changes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes The HG tag is NSS_3_39_RTM. NSS 3.39 requires NSPR 4.20 or newer. NSS 3.39 source distributions are available for secure download: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_39_RTM/src/ A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&product=NSS&target_milestone=3.39 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto