Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8148501

Upgrade NSS library used in tests to the latest version




      See jdk/test/sun/security/pkcs11/nss, currently we are using version 3.16 which is quite old. There are following notable changes in releases after this. These will be useful to cover addition test scenarios: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

      Notable changes in 3.18
      - The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from DTLS 1.0 to DTLS 1.2.

      Notable Changes in NSS 3.19
      - The SSL 3 protocol has been disabled by default.
      - NSS now more strictly validates TLS extensions and will fail a handshake that contains malformed extensions (bug 753136).
      - In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm in order to be compatible with TLS servers that use certificates with a SHA512 signature (bug 1155922).

      Notable Changes in NSS 3.20
      - The TLS library has been extended to support DHE ciphersuites in server applications.

      Notable Changes in NSS 3.21
      - NSS now builds with elliptic curve ciphers enabled by default (bug 1205688)

      Notable Changes in NSS 3.22
      - NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.

      Notable Changes in NSS 3.23
      - The copy of SQLite shipped with NSS has been updated to version 3.10.2 (bug 1234698)
      - The list of TLS extensions sent in the TLS handshake has been reordered to increase compatibility of the Extended Master Secret with servers (bug 1243641)
      - The build time environment variable NSS_ENABLE_ZLIB has been renamed to NSS_SSL_ENABLE_ZLIB (Bug 1243872).
      - The build time environment variable NSS_DISABLE_CHACHAPOLY was added, which can be used to prevent compilation of the ChaCha20/Poly1305 code.

      Notable Changes in NSS 3.24
      - Deprecate the following functions. (Applications should instead use the new SSL_ConfigServerCert function.)
      - Deprecate the NSS_FindCertKEAType function, as it reports a misleading value for certificates that might be used for signing rather than key exchange.
      - Update SSLAuthType to define a larger number of authentication key types.
      - Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo. Instead, applications should use the newly added attribute authType.
      - Rename ssl_auth_rsa to ssl_auth_rsa_decrypt.
      - Add a shared library (libfreeblpriv3) on Linux platforms that define FREEBL_LOWHASH.
      - Remove most code related to SSL v2, including the ability to actively send a SSLv2-compatible client hello. However, the server-side implementation of the SSL/TLS protocol still supports - processing of received v2-compatible client hello messages.
      - Disable (by default) NSS support in optimized builds for logging SSL/TLS key material to a logfile if the SSLKEYLOGFILE environment variable is set. To enable the functionality in optimized builds, you must define the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
      - Update NSS to protect it against the Cachebleed attack.
      - Disable support for DTLS compression.
      - Improve support for TLS 1.3. This includes support for DTLS 1.3. Note that TLS 1.3 support is experimental and not suitable for production use.

      Notable Changes in NSS 3.25
      - An SSL socket can no longer be configured to allow both TLS 1.3 and SSL v3

      Notable Changes in NSS 3.26
      - NPN is disabled and ALPN is enabled by default

      Notable Changes in NSS 3.27
      - UPDATE 2016-10-02:
          The maximum TLS version supported has been increased to TLS 1.3 (draft).
          Although the maximum TLS version enabled by default is still TLS 1.2, there are applications that query the list of TLS protocol versions supported by NSS, and enable all supported versions. For those applications, updating to NSS 3.27 may result in TLS 1.3 (draft) to be enabled.
          The TLS 1.3 (draft) protocol can be disabled, by defining symbol NSS_DISABLE_TLS_1_3 when building NSS.
      - NPN can not be enabled anymore.
      - Hard limits on the maximum number of TLS records encrypted with the same key are enforced.
      - Disabled renegotiation in DTLS.


          Issue Links



              jjiang John Jiang
              rhalade Rajan Halade
              0 Vote for this issue
              5 Start watching this issue