diff options
| author | ryoon <ryoon@pkgsrc.org> | 2017-01-20 15:01:23 +0000 |
|---|---|---|
| committer | ryoon <ryoon@pkgsrc.org> | 2017-01-20 15:01:23 +0000 |
| commit | 93acf257873d19154946a901bc0bb667aa0684ac (patch) | |
| tree | 83fb90af83bfc359725ed0ad8da9b041fda3bd85 /devel | |
| parent | 73685025b10ca02180e2fa2deaecb1dad1f46114 (diff) | |
| download | pkgsrc-93acf257873d19154946a901bc0bb667aa0684ac.tar.gz | |
Update to 3.28.1
* Bump nspr requirement
Changelog:
3.28.1:
The NSS team has released Network Security Services (NSS) 3.28.1,
which is a patch release.
Below is a summary of the changes.
Please refer to the full release notes for additional details,
including the SHA256 fingerprints of the changed CA certificates.
No new functionality is introduced in this release. This is a patch release to
update the list of root CA certificates and address a minor TLS compatibility
issue that some applications experienced with NSS 3.28.
Notable Changes:
* The following CA certificates were Removed
- CN = Buypass Class 2 CA 1
- CN = Root CA Generalitat Valenciana
- OU = RSA Security 2048 V3
* The following CA certificates were Added
- OU = AC RAIZ FNMT-RCM
- CN = Amazon Root CA 1
- CN = Amazon Root CA 2
- CN = Amazon Root CA 3
- CN = Amazon Root CA 4
- CN = LuxTrust Global Root 2
- CN = Symantec Class 1 Public Primary Certification Authority - G4
- CN = Symantec Class 1 Public Primary Certification Authority - G6
- CN = Symantec Class 2 Public Primary Certification Authority - G4
- CN = Symantec Class 2 Public Primary Certification Authority - G6
* The version number of the updated root CA list has been set to 2.11
* A misleading assertion/alert has been removed when NSS tries to flush data
to the peer but the connection was already reset.
3.28:
The NSS team has released Network Security Services (NSS) 3.28,
which is a minor release.
Below is a summary of the changes.
Please refer to the full release notes for additional details:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes
Request to test and prepare for TLS 1.3 (draft):
================================================
To prepare for a change of default build options, which is
planned for
the future NSS 3.29 release, we'd like to encourage all users of NSS
3.28
to override the standard NSS build configuration to enable support for
(draft
) TLS 1.3 by defining NSS_ENABLE_TLS_1_3=1 at build time.
We'd like to ask you to
please give feedback to the NSS developers for any
compatibility issues that you
might encounter in your tests.
For providing feedback, you may send a message to this mailing list, see:
https://lists.mozilla.org/listinfo/dev-tech-crypto
or please report a bug here:
https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS
New functionality:
==================
* NSS includes support for TLS 1.3 draft -18. This includes a number
of
improvements to TLS 1.3:
- The signed certificate timestamp, used in
certificate transparency,
is supported in TLS 1.3.
- Key exporters for TLS
1.3 are supported. This includes the early key
exporter, which can be used if
0-RTT is enabled. Note that there is a
difference between TLS 1.3 and key
exporters in older versions of TLS.
TLS 1.3 does not distinguish between an
empty context and no context.
- The TLS 1.3 (draft) protocol can be enabled, by
defining
NSS_ENABLE_TLS_1_3=1 when building NSS.
* NSS includes support for
the X25519 key exchange algorithm, which is
supported and enabled by default in
all versions of TLS.
New Functions:
==============
* SSL_ExportEarlyKeyingMaterial
* SSL_SendAdditionalKeyShares
* SSL_SignatureSchemePrefSet
* SSL_SignatureSchemePrefGet
Notable Changes:
================
* NSS can no longer be compiled with support for additional elliptic curves.
This was previously possible by replacing certain NSS source files.
* NSS will now detect the presence of tokens that support additional
elliptic curves and enable those curves for use in TLS.
Note that this detection has a one-off performance cost, which can be
avoided by using the SSL_NamedGroupConfig function to limit supported
groups to those that NSS provides.
* PKCS#11 bypass for TLS is no longer supported and has been removed.
* Support for "export" grade SSL/TLS cipher suites has been removed.
* NSS now uses the signature schemes definition in TLS 1.3.
This also affects TLS 1.2. NSS will now only generate signatures with the
combinations of hash and signature scheme that are defined in TLS 1.3,
even when negotiating TLS 1.2.
- This means that SHA-256 will only be used with P-256 ECDSA certificates,
SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
compatibility reasons.
- New functions to configure signature schemes are provided:
SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet.
The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are
now deprecated.
- NSS will now no longer assume that default signature schemes are
supported by a peer if there was no commonly supported signature scheme.
* NSS will now check if RSA-PSS signing is supported by the token that holds
the private key prior to using it for TLS.
* The certificate validation code contains checks to no longer trust
certificates that are issued by old WoSign and StartCom CAs after
October 21, 2016. This is equivalent to the behavior that Mozilla will
release with Firefox 51.
Diffstat (limited to 'devel')
| -rw-r--r-- | devel/nss/Makefile | 14 | ||||
| -rw-r--r-- | devel/nss/PLIST | 4 | ||||
| -rw-r--r-- | devel/nss/distinfo | 10 |
3 files changed, 16 insertions, 12 deletions
diff --git a/devel/nss/Makefile b/devel/nss/Makefile index bea679ac40d..e301fbf72a9 100644 --- a/devel/nss/Makefile +++ b/devel/nss/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.126 2016/12/20 23:47:01 ryoon Exp $ +# $NetBSD: Makefile,v 1.127 2017/01/20 15:01:23 ryoon Exp $ DISTNAME= nss-${NSS_RELEASE:S/.0$//} -NSS_RELEASE= 3.27.2 -PKGREVISION= 2 +NSS_RELEASE= 3.28.1 CATEGORIES= security -MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_MAJOR_VERSION}_${NSS_MINOR_VERSION}_${NSS_PATCH_VERSION}_RTM/src/} +MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/} MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.mozilla.org/projects/security/pki/nss/ @@ -71,11 +70,12 @@ MAKE_ENV+= USE_64=1 MAKE_ENV+= BUILD_OPT=1 #MAKE_ENV+= OPTIMIZER=${CFLAGS:Q} MAKE_ENV+= INCLUDES=-I${BUILDLINK_PREFIX.nspr}/include/nspr -MAKE_ENV+= NSS_USE_SYSTEM_SQLITE=1 +#MAKE_ENV+= NSS_USE_SYSTEM_SQLITE=1 MAKE_ENV+= ZLIB_LIBS="${COMPILER_RPATH_FLAG}${BUILDLINK_PREFIX.zlib}/lib -L${BUILDLINK_PREFIX.zlib}/lib -lz" MAKE_ENV+= USE_SYSTEM_ZLIB=1 MAKE_ENV+= EXTRA_SHARED_LIBS="${COMPILER_RPATH_FLAG}${BUILDLINK_PREFIX.nspr}/lib/nspr ${COMPILER_RPATH_FLAG}${PREFIX}/lib/nss -L${BUILDLINK_PREFIX.nspr}/lib/nspr -lplc4 -lplds4 -lnspr4" MAKE_ENV+= NSS_DISABLE_GTESTS=yes +MAKE_ENV+= NSS_ENABLE_TLS_1_3=1 .include "../../mk/compiler.mk" .if !empty(CC_VERSION:Mgcc-4.[0-7]*) CFLAGS+= -DNSS_NO_GCC48 @@ -84,6 +84,8 @@ CFLAGS+= -DNSS_NO_GCC48 NSS_MAJOR_VERSION= ${NSS_RELEASE:C/\.[0-9.]*//} NSS_MINOR_VERSION= ${NSS_RELEASE:S/3.//:C/\.[0-9]*//} NSS_PATCH_VERSION= ${NSS_RELEASE:C/[0-9.]*\.//} +NSS_DIST_DIR_VERSION= ${NSS_MAJOR_VERSION}_${NSS_MINOR_VERSION}_${NSS_PATCH_VERSION} + SUBST_CLASSES+= config SUBST_SED.config+= -e "s,@PREFIX@,${PREFIX},g" @@ -125,7 +127,7 @@ do-install: # For consistency of libxul.so link in www/firefox. BUILDLINK_API_DEPENDS.sqlite3+= sqlite3>=3.8.4.2 .include "../../databases/sqlite3/buildlink3.mk" -BUILDLINK_API_DEPENDS.nspr+= nspr>=4.12 +BUILDLINK_API_DEPENDS.nspr+= nspr>=4.13.1 .include "../../devel/nspr/buildlink3.mk" .include "../../devel/zlib/buildlink3.mk" .include "../../mk/pthread.buildlink3.mk" diff --git a/devel/nss/PLIST b/devel/nss/PLIST index 2ac7364f763..422ddcc79d3 100644 --- a/devel/nss/PLIST +++ b/devel/nss/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.19 2016/11/29 12:57:08 ryoon Exp $ +@comment $NetBSD: PLIST,v 1.20 2017/01/20 15:01:23 ryoon Exp $ bin/certcgi bin/certutil bin/cmsutil @@ -42,6 +42,7 @@ include/nss/nss/crmf.h include/nss/nss/crmft.h include/nss/nss/cryptohi.h include/nss/nss/cryptoht.h +include/nss/nss/eccutil.h include/nss/nss/ecl-exp.h include/nss/nss/hasht.h include/nss/nss/jar-ds.h @@ -131,6 +132,7 @@ lib/nss/libnssckbi.${SO_SUFFIX} lib/nss/libnssdbm3.${SO_SUFFIX} lib/nss/libnssutil3.${SO_SUFFIX} lib/nss/libsmime3.${SO_SUFFIX} +lib/nss/libsqlite3.${SO_SUFFIX} lib/nss/libsoftokn3.${SO_SUFFIX} lib/nss/libssl3.${SO_SUFFIX} lib/pkgconfig/nss.pc diff --git a/devel/nss/distinfo b/devel/nss/distinfo index e8ee6606bdc..34209c76737 100644 --- a/devel/nss/distinfo +++ b/devel/nss/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.64 2016/11/29 22:51:12 ryoon Exp $ +$NetBSD: distinfo,v 1.65 2017/01/20 15:01:23 ryoon Exp $ -SHA1 (nss-3.27.2.tar.gz) = b63dc5ab4608b9954ffe3edd4152c90e1b93bf6a -RMD160 (nss-3.27.2.tar.gz) = 36e2fcf2eca8c26d597df39718835d2d3e6963a7 -SHA512 (nss-3.27.2.tar.gz) = 699847665e93fd649cb60ce6bc8f849f452779e7232a09bbeb0613f9e6c57bb81948f1ae59cc86648e41a212cda259109850ccd14546d35910deb75f5d2a13b8 -Size (nss-3.27.2.tar.gz) = 7397599 bytes +SHA1 (nss-3.28.1.tar.gz) = 75f220c1c20d8346cde43fb96726d3447c11cf22 +RMD160 (nss-3.28.1.tar.gz) = 816595c4005f2d2ad456946d8cb2000eca06361c +SHA512 (nss-3.28.1.tar.gz) = f10c8e404741fafe5e5772dc754ff4503ec1826942db5fbc13b99155fcac50f29e1405dd249b69a27f27ebcfef73849b1f0f636a2076ab761384e8a0ed9a2b8b +Size (nss-3.28.1.tar.gz) = 7451477 bytes SHA1 (patch-am) = bab47640c0d25629f43578e7b788859418b27ecd SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69 SHA1 (patch-md) = 0a09fd2abb8674a2d301f1b6a5331af5db94178f |