Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Date: Thu, 20 Aug 2015 10:54:24 +0000
From: "Ryo ONODERA" <ryoon@netbsd.org>
Subject: CVS commit: pkgsrc/devel/nss
To: pkgsrc-changes@NetBSD.org
Reply-To: ryoon@netbsd.org
Message-Id: <20150820105424.355CB98@cvs.netbsd.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

Module Name:	pkgsrc
Committed By:	ryoon
Date:		Thu Aug 20 10:54:24 UTC 2015

Modified Files:
	pkgsrc/devel/nss: Makefile PLIST distinfo

Log Message:
Update to 3.20

Changelog:
The NSS team has released Network Security Services (NSS) 3.20,
which is a minor release.

New functionality:
* The TLS library has been extended to support DHE ciphersuites in
  server applications.

New Functions:
* SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group
  parameters that can be used by NSS for a server socket.
* SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group
  parameters that are smaller than the library default's minimum size.

New Types:
* SSLDHEGroupType - Enumerates the set of DHE parameters embedded in
  NSS that can be used with function SSL_DHEGroupPrefSet.

New Macros:
* SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable
  DHE ciphersuites for a server socket.

Notable Changes:
* The TLS library has been extended to support DHE ciphersuites in
  server applications.
* For backwards compatibility reasons, the server side implementation
  of the TLS library keeps all DHE ciphersuites disabled by default.
  They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE
  and the SSL_OptionSet or the SSL_OptionSetDefault API.
* The server side implementation of the TLS implementation does not
  support session tickets when using a DHE ciphersuite (see bug
  1174677).
* Support for the following ciphersuites has been added:
  - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* By default, the server side TLS implementation will use DHE
  parameters with a size of 2048 bits when using DHE ciphersuites.
* NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and
  8192 bits, which were copied from version 08 of the Internet-Draft
  "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
  TLS", Appendix A.
* A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a
  server application to select one or multiple of the embedded DHE
  parameters as the preferred parameters. The current implementation of
  NSS will always use the first entry in the array that is passed as a
  parameter to the SSL_DHEGroupPrefSet API. In future versions of the
  TLS implementation, a TLS client might signal a preference for
  certain DHE parameters, and the NSS TLS server side implementation
  might select a matching entry from the set of parameters that have
  been configured as preferred on the server side.
* NSS optionally supports the use of weak DHE parameters with DHE
  ciphersuites to support legacy clients. In order to enable this
  support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each
  time this API is called for the first time in a process, a fresh set
  of weak DHE parameters will be randomly created, which may take a
  long amount of time. Please refer to the comments in the header file
  that declares the SSL_EnableWeakDHEPrimeGroup API for additional
  details.
* The size of the default PQG parameters used by certutil when
  creating DSA keys has been increased to use 2048 bit parameters.
* The selfserv utility has been enhanced to support the new DHE
  features.
* NSS no longer supports C compilers that predate the ANSI C
  standard (C89).


To generate a diff of this commit:
cvs rdiff -u -r1.99 -r1.100 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.14 -r1.15 pkgsrc/devel/nss/PLIST
cvs rdiff -u -r1.49 -r1.50 pkgsrc/devel/nss/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.