The NSS team has released Network Security Services (NSS) 3.18, which is a minor release.
New functionality: * When importing certificates and keys from a PKCS#12 source, it's now possible to override the nicknames, prior to importing them into the NSS database, using new API SEC_PKCS12DecoderRenameCertNicknames. * The tstclnt test utility program has new command-line options -C, -D, -b and -R. Use -C one, two or three times to print information about the certificates received from a server, and information about the locally found and trusted issuer certificates, to diagnose server side configuration issues. It is possible to run tstclnt without providing a database (-D). A PKCS#11 library that contains root CA certificates can be loaded by tstclnt, which may either be the nssckbi library provided by NSS (-b) or another compatible library (-R). New Functions: * SEC_CheckCrlTimes * SEC_GetCrlTimes * SEC_PKCS12DecoderRenameCertNicknames New Types * SEC_PKCS12NicknameRenameCallback Notable Changes: * The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from DTLS 1.0 to DTLS 1.2. * The default key size used by certutil when creating an RSA key pair has been increased from 1024 bits to 2048 bits. * On Mac OS X, by default the softokn shared library will link with the sqlite library installed by the operating system, if it is version 3.5 or newer. * The following CA certificates had the Websites and Code Signing trust bits turned off: - Equifax Secure Certificate Authority - Equifax Secure Global eBusiness CA-1 - TC TrustCenter Class 3 CA II * The following CA certificates were Added: - Staat der Nederlanden Root CA - G3 - Staat der Nederlanden EV Root CA - IdenTrust Commercial Root CA 1 - IdenTrust Public Sector Root CA 1 - S-TRUST Universal Root CA - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - CFCA EV ROOT * The version number of the updated root CA list has been set to 2.3 The full release notes, including further details and the SHA1 fingerprints of the changed CA certificates, are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes The HG tag is NSS_3_18_RTM. NSS 3.18 requires NSPR 4.10.8 or newer. NSS 3.18 source distributions are also available on ftp.mozilla.org for secure HTTPS download: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_18_RTM/src/ A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.18&product=NSS -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
