8.126. nss and nspr

Bug Fixes

BZ#702083

The PEM module imposed restrictions on client applications to use unique base file names upon which certificates were derived. Consequently, client applications certifications and keys with the same base name but different file paths failed to load because they were incorrectly deemed to be duplicates. The comparison algorithm has been modified and the PEM module now correctly determines uniqueness regardless of how users name their files.

BZ#882408

Due to differences in the upstream version of the nss package, an attempt to enable the unsupported SSL PKCS#11 bypass feature failed with a fatal error message. This behavior could break the semantics of certain calls, thus breaking the Application Binary Interface (ABI) compatibility. With this update, the nss package has been modified to preserve the upstream behavior. As a result, an attempt to enable SSL PKCS#11 bypass no longer fails.

BZ#903017

Previously, there was a race condition in the certification code related to smart cards. Consequently, when Common Access Card (CAC) or Personal Identity Verification (PIV) smart cards certificates were viewed in the Firefox certificate manager, the Firefox web browser became unresponsive. The underlying source code has been modified to fix the race condition and Firefox no longer hangs in the described scenario.

BZ#905013

Due to errors in the Netscape Portable Runtime (NSPR) code responsible for thread synchronization, memory corruption sometimes occurred. Consequently, the web server daemon (httpd) sometimes terminated unexpectedly with a segmentation fault after making more than 1023 calls to the NSPR library. With this update, an improvement to the way NSPR frees previously allocated memory has been made and httpd no longer crashes in the described scenario.

BZ#918136

With the 3.14 upstream version of the nss package, support for certificate signatures using the MD5 hash algorithm in digital signatures has been disabled by default. However, certain websites still use MD5-based signatures and therefore an attempt to access such a website failed with an error. With this update, MD5 hash algorithm in digital signatures is supported again so that users can connect to the websites using this algorithm as expected.

BZ#976572

With this update, fixes to the implementation of Galois/Counter Mode (GCM) have been backported to the nss package since the upstream version 3.14.1. As a result, users can use GCM without any problems already documented and fixed in the upstream version.

BZ#977341

Previously, the output of the certutil -H command, which is a list of options and arguments used by the certutil utility, did not describe the -F option. This information has been added and the option is now properly described in the output of certutil -H.

BZ#988083

Previously, the pkcs11n.h header was missing certain constants to support the Transport Layer Security (TLS) 1.2 protocol. The constants have been added to the nss-util package and NSS now supports TLS 1.2 as expected.

BZ#990631

Previously, Network Security Service (NSS) reverted the permission rights for the pkcs11.txt file so that only the owner of the file could read it and write to it. This behavior overwrote other permissions specified by the user. Consequently, users were prevented from adding security modules to their own configuration using the system-wide security databases. This update provides a patch to fix this bug. As a result, NSS preserves the existing permissions for pkcs11.txt and users are now able to modify the NSS security module database.

BZ#1008534

Due to a bug in Network Security Services (NSS), the installation of the IPA (Identity, Policy, Audit) server terminated unexpectedly and an error was returned. This bug has been fixed with this update and installation of the IPA server now proceeds as expected.

BZ#1010224

The NSS softoken cryptographic module did not ensure whether the freebl library had been properly initialized before running its self test. Consequently, certain clients, such as the Lightweight Directory Access Protocol (LDAP) client, could initialize and finalize NSS. In such a case, freebl was cleaned up and unloaded. When the library was loaded again, an attempt to run the test terminated unexpectedly causing client failures such as Transport Layer Security (TLS) connection errors. This bug has been fixed and softoken now correctly initializes freebl before running self tests. As a result, the failures no longer occur in the described scenario.

Enhancements

BZ#960193, BZ#960208

Network Security Services's (NSS) own internal cryptographic module in Red Hat Enterprise Linux 6.5 now supports the NIST Suite B set of recommended algorithms for Elliptic curve cryptography (ECC).