Overview
Request 417034 accepted
- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236)
- update to NSS 3.24
New functionality:
* NSS softoken has been updated with the latest National Institute
of Standards and Technology (NIST) guidance (as of 2015):
- Software integrity checks and POST functions are executed on
shared library load. These checks have been disabled by default,
as they can cause a performance regression. To enable these
checks, you must define symbol NSS_FORCE_FIPS when building NSS.
- Counter mode and Galois/Counter Mode (GCM) have checks to
prevent counter overflow.
- Additional CSPs are zeroed in the code.
- NSS softoken uses new guidance for how many Rabin-Miller tests
are needed to verify a prime based on prime size.
* NSS softoken has also been updated to allow NSS to run in FIPS
Level 1 (no password). This mode is triggered by setting the
database password to the empty string. In FIPS mode, you may move
from Level 1 to Level 2 (by setting an appropriate password),
but not the reverse.
* A SSL_ConfigServerCert function has been added for configuring
SSL/TLS server sockets with a certificate and private key. Use
this new function in place of SSL_ConfigSecureServer,
SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
determines the certificate type from the certificate and private key.
The caller is no longer required to use SSLKEAType explicitly to
select a "slot" into which the certificate is configured (which
incorrectly identifies a key agreement type rather than a certificate).
Separate functions for configuring Online Certificate Status Protocol
- Created by wrosenauer
- In state accepted
Request History
wrosenauer created request
- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236)
- update to NSS 3.24
New functionality:
* NSS softoken has been updated with the latest National Institute
of Standards and Technology (NIST) guidance (as of 2015):
- Software integrity checks and POST functions are executed on
shared library load. These checks have been disabled by default,
as they can cause a performance regression. To enable these
checks, you must define symbol NSS_FORCE_FIPS when building NSS.
- Counter mode and Galois/Counter Mode (GCM) have checks to
prevent counter overflow.
- Additional CSPs are zeroed in the code.
- NSS softoken uses new guidance for how many Rabin-Miller tests
are needed to verify a prime based on prime size.
* NSS softoken has also been updated to allow NSS to run in FIPS
Level 1 (no password). This mode is triggered by setting the
database password to the empty string. In FIPS mode, you may move
from Level 1 to Level 2 (by setting an appropriate password),
but not the reverse.
* A SSL_ConfigServerCert function has been added for configuring
SSL/TLS server sockets with a certificate and private key. Use
this new function in place of SSL_ConfigSecureServer,
SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
determines the certificate type from the certificate and private key.
The caller is no longer required to use SSLKEAType explicitly to
select a "slot" into which the certificate is configured (which
incorrectly identifies a key agreement type rather than a certificate).
Separate functions for configuring Online Certificate Status Protocol
lnussel_factory added as a reviewer
Being evaluated by staging project "openSUSE:Leap:42.2:Staging:C"
lnussel_factory accepted review
Picked openSUSE:Leap:42.2:Staging:C
leaper accepted review
override
lnussel_factory accepted review
ready to accept
lnussel_factory approved review
ready to accept
lnussel_factory accepted request
Accept to openSUSE:Leap:42.2
