1Name: Network Security Services (NSS)
2URL: http://www.mozilla.org/projects/security/pki/nss/
3Version: 3.15.5 Beta 2
4Security Critical: Yes
5License: MPL 2
6License File: NOT_SHIPPED
7
8This directory includes a copy of NSS's libssl from the hg repo at:
9  https://hg.mozilla.org/projects/nss
10
11The same module appears in crypto/third_party/nss (and third_party/nss on some
12platforms), so we don't repeat the license file here.
13
14The snapshot was updated to the hg tag: NSS_3_15_5_BETA2
15
16Patches:
17
18  * Cache the peer's intermediate CA certificates in session ID, so that
19    they're available when we resume a session.
20    patches/cachecerts.patch
21    https://bugzilla.mozilla.org/show_bug.cgi?id=731478
22
23  * Add support for client auth with native crypto APIs on Mac and Windows.
24    patches/clientauth.patch
25    ssl/sslplatf.c
26
27  * Add a function to export whether the last handshake on a socket resumed a
28    previous session.
29    patches/didhandshakeresume.patch
30    https://bugzilla.mozilla.org/show_bug.cgi?id=731798
31
32  * Add function to retrieve TLS client cert types requested by server.
33    https://bugzilla.mozilla.org/show_bug.cgi?id=51413
34    patches/getrequestedclientcerttypes.patch
35
36  * Add a function to restart a handshake after a client certificate request.
37    patches/restartclientauth.patch
38
39  * Add support for TLS Channel IDs
40    patches/channelid.patch
41
42  * Add support for extracting the tls-unique channel binding value
43    patches/tlsunique.patch
44    https://bugzilla.mozilla.org/show_bug.cgi?id=563276
45
46  * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock.
47    This change was made in https://chromiumcodereview.appspot.com/10454066.
48    patches/secretexporterlocks.patch
49
50  * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS
51    versions older than 3.15 report an EC key size range of 112 bits to 571
52    bits, even when it is compiled to support only the NIST P-256, P-384, and
53    P-521 curves. Remove this patch when all system NSS softoken packages are
54    NSS 3.15 or later.
55    patches/suitebonly.patch
56
57  * Define the SECItemArray type and declare the SECItemArray handling
58    functions, which were added in NSS 3.15. Remove this patch when all system
59    NSS packages are NSS 3.15 or later.
60    patches/secitemarray.patch
61
62  * Update Chromium-specific code for TLS 1.2.
63    patches/tls12chromium.patch
64
65  * Add Chromium-specific code to detect AES GCM support in the system NSS
66    libraries at run time. Remove this patch when all system NSS packages are
67    NSS 3.15 or later.
68    patches/aesgcmchromium.patch
69
70  * Support ChaCha20+Poly1305 ciphersuites
71    http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01
72    patches/chacha20poly1305.patch
73
74  * Fix session cache lock creation race.
75    patches/cachelocks.patch
76    https://bugzilla.mozilla.org/show_bug.cgi?id=764646
77
78  * Support the Certificate Transparency (RFC 6962) TLS extension
79    signed_certificate_timestamp (client only).
80    patches/signedcertificatetimestamps.patch
81    https://bugzilla.mozilla.org/show_bug.cgi?id=944175
82
83  * Add a function to allow the cipher suites preference order to be set.
84    patches/cipherorder.patch
85
86  * Add TLS_FALLBACK_SCSV cipher suite to version fallback connections.
87    patches/fallbackscsv.patch
88
89  * Add explicit functions for managing the SSL/TLS session cache.
90    This is a temporary workaround until Chromium migrates to NSS's
91    asynchronous certificate verification.
92    patches/sessioncache.patch
93
94  * Use NSSRWLock instead of PRRWLock in sslSessionID. This avoids the bugs
95    in the lock rank checking code in PRRWLock.
96    patches/nssrwlock.patch
97    https://bugzilla.mozilla.org/show_bug.cgi?id=957812
98
99  * Use the IANA-assigned value for the TLS padding extension.
100    patches/paddingextvalue.patch
101    https://bugzilla.mozilla.org/show_bug.cgi?id=994883
102
103  * Move the signature_algorithms extension to the end of the extension list.
104    This works around a bug in WebSphere Application Server 7.0 which is
105    intolerant to the final extension having zero length.
106    patches/reorderextensions.patch
107
108  * Ignore out-of-order DTLS ChangeCipherSpec.
109    patches/ignorechangecipherspec.patch
110    https://bugzilla.mozilla.org/show_bug.cgi?id=1009227
111
112Apply the patches to NSS by running the patches/applypatches.sh script.  Read
113the comments at the top of patches/applypatches.sh for instructions.
114
115The ssl/bodge directory contains files taken from the NSS repo that we required
116for building libssl outside of its usual build environment.
117