Network Security Services (NSS)
Primary Newsgroup: mozilla.dev.tech.crypto
Alternate Newsgroup: mozilla.dev.tech.crypto
Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server applications. Applications
built with NSS can support
SSL
v2 and v3, TLS,
PKCS
#5, PKCS #7,
PKCS
#11, PKCS #12, S/MIME,
X.509
v3 certificates, and other security standards. For detailed information
on standards supported, see Overview of NSS.
NSS is available under the Mozilla Public License, the GNU General Public
License, and the GNU Lesser General Public License. For information on
downloading NSS releases as tar files, see
Download PKI Source.
To participate in ongoing technical discussions related to NSS, tune
in to the IRC channel #mozcrypto on the server irc.mozilla.org.
Project Information
S/MIME Toolkit Module
SSL/TLS Module
Documentation
Mozilla CVS Information
Project Information
NSS 3.10 has been released.
We are working on NSS 3.11.
19 May 2005: NSS 3.10 Release
NSS 3.10 was completed on 27 April 2005. The CVS tag is NSS_3_10_RTM. It is
the first release in which the DBM library (mozilla/dbm and
mozilla/security/dbm) became part of the NSS source tree. NSS 3.10 may be
used with NSPR 4.5.1 (CVS tag NSPR_4_5_1_RTM) or later. We will post the
release notes here soon.
19 May 2005: NSS 3.9.5 Release
NSS 3.9.5 is the latest patch release for NSS 3.9. The CVS tag is
NSS_3_9_5_RTM.
8 January 2004: NSS 3.9 Release
The new features and enhancements in NSS 3.9 include GeneralizedTime
support, RFC 3280 compliant name constraints, and the ability to list
duplicate certificate instances in multiple tokens. NSS 3.9 passes
all the NISCC
SSL/TLS
and S/MIME
tests (1.6 million test cases of invalid input data) without crashes
or memory leaks. We recommend that all NSS customers upgrade to NSS
3.9 in the next release of your product. For details, see
NSS 3.9 Release Notes.
20 June 2003: NSS 3.7.7 Release
NSS 3.7.7 is a patch release for NSS 3.7. For the list of the bugs that
have been fixed in NSS 3.7.7, see
NSS 3.7.7 Release Notes.
21 May 2003: NSS 3.7.5 Release
NSS 3.7.5 is a patch release for NSS 3.7. For the list of the bugs that
have been fixed in NSS 3.7.5, see
NSS 3.7.5 Release Notes.
10 April 2003: NSS 3.8 Release
The new features and enhancements in NSS 3.8 include the SHA-256, SHA-384,
and SHA-512 algorithms, enhanced smartcard support, and the elliptic curve
cryptography code (not compiled by default) contributed by Sun Labs. For
details, see
NSS 3.8 Release Notes.
20 March 2003: NSS 3.7.3 Release
NSS 3.7.3 is a patch release for NSS 3.7. For the list of the bugs that
have been fixed in NSS 3.7.3, see
NSS 3.7.3 Release Notes.
10 March 2003: NSS 3.7.2 Release
NSS 3.7.2 is a patch release for NSS 3.7. For the list of the bugs that
have been fixed in NSS 3.7.2, see
NSS 3.7.2 Release Notes.
4 March 2003: NSS 3.4.3 Release
NSS 3.4.3 is a patch release for NSS 3.4. For the list of the bugs that
have been fixed in NSS 3.4.3, see
NSS 3.4.3 Release Notes.
27 Febrary 2003: Security Vulnerability: Vaudenay Timing Attack on CBC mode block
ciphers
Recently a timing-based attack on SSL/TLS implementations of CBC mode block
cipher suites was
disclosed. At present the implementation of SSL and TLS in NSS is
susceptible to this method. The flaw is exploited on the recipient of
sensitive data, which is normally servers. Servers are vulnerable to
the attack only if they implement all of the following:
- TLS (supported by NSS 2.8 and later);
- cipher suites that use block ciphers;
- application protocols that are likely to receive sensitive data (for
example, passwords) at exactly the same offset in many messages from
a client.
We have implemented a countermeasure and will release NSS patch releases
soon. Until updated NSS libraries are available, we recommend the following
action:
- Netscape/mozilla browser users do not need to take any action. They
could choose to disable TLS or disable CBC mode block ciphersuites
as a precaution against vulnerable servers.
- Administrators of servers that are based on NSS 2.8 or later and that
enable TLS need to take action. They could disable TLS or disable CBC
mode block cipher suites.
For more information, please see our
article on this security flaw.
29 January 2003: NSS 3.7.1 Release
NSS 3.7.1 is a patch release for NSS 3.7. For the list of the bugs that
have been fixed in NSS 3.7.1, see
NSS 3.7.1 Release Notes.
20 December 2002: NSS 3.7 Release
The new features and enhancements in NSS 3.7 include a new version of the
NSS certificate database that supports large CRLs and multiple email
addresses for the subject of a certificate. For details, see
NSS 3.7 Release Notes.
4 December 2002: NSS 3.6.1 Release
NSS 3.6.1 is a patch release for NSS 3.6. For the list of the bugs that
have been fixed in NSS 3.6.1, see
NSS 3.6.1 Release Notes.
18 October 2002: NSS 3.6 Release
The new features and enhancements in NSS 3.6 include new certificate handling
and SSL functions, better certificate path construction, significantly
improved CRL performance and memory usage, better SSL client authentication
performance, and PKCS #11 session logging. For details, see
NSS 3.6 Release Notes.
July 2002: NSS 3.5 Release
NSS 3.5 is an interim release created for Mozilla 1.0.1 and Netscape 7.
We recommend that other NSS clients upgrade to NSS 3.6.
10 June 2002: NSS 3.4.2 Release
NSS 3.4.2 is a patch release for NSS 3.4. For the list of the bugs that
have been fixed in NSS 3.4.2, see
NSS 3.4.2 Release Notes.
6 May 2002: NSS 3.4.1 Release
NSS 3.4.1 is a patch release for NSS 3.4. For the list of the bugs that
have been fixed in NSS 3.4.1, see
NSS 3.4.1 Release Notes.
6 May 2002: NSS 3.4 Release
NSS 3.4 contains a partial implementation of the core NSS 4.0 (code name Stan)
functions and supports the new TLS AES ciphersuites. For details, see
NSS 3.4 Release Notes.
12 December 2001: NSS 3.3.2 Release
NSS 3.3.2 is a patch release for NSS 3.3. For the list of the bugs
that have been fixed in NSS 3.3.2, see NSS
3.3.2 Release Notes.
9 November 2001: NSS 3.3.1 Release
NSS 3.3.1 is a patch release for NSS 3.3. For the list of the bugs
that have been fixed in NSS 3.3.1, see NSS
3.3.1 Release Notes.
26 July 2001: NSS 3.3 Release
NSS 3.3 enables JSS (3.1 or newer) to use NSS shared libraries and implements
five new DHE cipher suites for SSL/TLS on the client side. For details,
see NSS 3.3 Release Notes.
Source code for a Java interface to NSS is available in the Mozilla
CVS tree. For details, see Network Security Services
for Java.
NSS 3.3 source is available via CVS and may
be viewed in HMTL (via the LXR tool) at http://lxr.mozilla.org/mozilla/source/security/nss/.
6 April 2001: NSS 3.2.1 Release
NSS 3.2.1 provides improved SSL performance and fixes bugs in pk12util
and some certificate query operations. For details, see NSS
3.2.1 Release Notes.
NSS 3.2.1 also facilitates simplified build instructions. For details,
see Build Instructions for NSS 3.2.1 Release.
For background information on the build system and proposals for future
changes, see The NSS Build System: History
and Future Directions.
2 March 2001: NSS 3.2 Release
NSS 3.2 provided support for shared libraries for the first time. For details,
see NSS 3.2 Release Notes.
Applications that use only the NSS 3.2
Public Functions exported by the NSS 3.2 DLLs are guaranteed to work
with future versions of the shared libraries.
S/MIME Toolkit Module
See S/MIME Toolkit for information about NSS libraries
designed to support cross-platform development of S/MIME applications.
Originally created to support S/MIME in Communicator 4.x and Personal Security
Manager (PSM), these libraries form the basis of a new S/MIME Toolkit for
cross-platform development of S/MIME applications.
SSL/TLS Module
See SSL/TLS for information about NSS libraries designed
to support cross-platform development of SSL- and TLS-enabled applications.
These libraries form the basis of the SSL module.
Documentation
Background information:
History:
NSS APIs:
-
Introduction to Network Security Services. Provides
an overview of the NSS 3.2 libraries and what you need to know to use them.
-
NSS 3.4 Public Functions
summarizes the APIs exported by the NSS 3.4 shared libraries. These APIs are
guaranteed to work with future versions of NSS shared libraries.
-
SSL Reference. API used to invoke SSL operations.
-
NSS API Guidelines. Explains how the
libraries and code are organized, and guidelines for developing code (naming
conventions, error handling, thread safety, etc.)
-
NSS Technical Notes. Links to NSS technical notes,
which provide latest information about new NSS features and supplementary
documentation for advanced topics in programming with NSS.
Tools, testing, and other technical details:
PKCS #11 information for implementors of cryptographic modules:
CA certificates pre-loaded into NSS
NSS is built on top of Netscape Portable Runtime (NSPR); developers using
NSS must call some NSPR functions. For information on NSPR, see the following:
Mozilla CVS Information
The CVS tags for various NSS releases can be found in the
NSS release notes.
NSS source code is in the mozilla/security/coreconf/ and
mozilla/security/nss/ directories.