File: index.rst

package info (click to toggle)
thunderbird 1%3A128.14.0esr-1~deb12u1
links: PTS, VCS
area: main
in suites: bookworm
size: 4,334,824 kB
sloc: cpp: 7,391,917; javascript: 5,617,271; ansic: 3,833,216; python: 1,230,742; xml: 619,690; asm: 456,022; java: 179,892; sh: 118,796; makefile: 21,908; perl: 14,825; objc: 12,399; yacc: 4,583; pascal: 2,973; lex: 1,720; ruby: 1,190; exp: 762; sql: 674; awk: 580; php: 436; lisp: 430; sed: 70; csh: 10
file content (919 lines) | stat: -rw-r--r-- 49,427 bytes
parent folder | download | duplicates (18)
.. _mozilla_projects_nss_nss_3_12_release_notes_html:

NSS_3.12_release_notes.html
===========================

.. _nss_3.12_release_notes:

`NSS 3.12 Release Notes <#nss_3.12_release_notes>`__
----------------------------------------------------

.. container::

.. _17_june_2008:

`17 June 2008 <#17_june_2008>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__

`Contents <#contents>`__
~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   -  `Introduction <#introduction>`__
   -  `Distribution Information <#distribution_information>`__
   -  `New in NSS 3.12 <#new_in_nss_3.12>`__
   -  `Bugs Fixed <#bugs_fixed>`__
   -  `Documentation <#documentation>`__
   -  `Compatibility <#compatibility>`__
   -  `Feedback <#feedback>`__

   --------------

`Introduction <#introduction>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   Network Security Services (NSS) 3.12 is a minor release with the following new features:

   -  SQLite-Based Shareable Certificate and Key Databases
   -  libpkix: an RFC 3280 Compliant Certificate Path Validation Library
   -  Camellia cipher support
   -  TLS session ticket extension (RFC 5077)

   NSS 3.12 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
   Note: Firefox 3 uses NSS 3.12, but not the new SQLite-based shareable certificate and key
   databases. We missed the deadline to enable that feature in Firefox 3.

   --------------



`Distribution Information <#distribution_information>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   The CVS tag for the NSS 3.12 release is NSS_3_12_RTM. NSS 3.12 requires `NSPR
   4.7.1 <https://www.mozilla.org/projects/nspr/release-notes/nspr471.html>`__.
   See the `Documentation <#docs>`__ section for the build instructions.
   NSS 3.12 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS
   download:

   -  Source tarballs:
      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/.
   -  Binary distributions:
      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/. Both debug and
      optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT
      (optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12
      directory containing three subdirectories:

      -  include - NSS header files
      -  lib - NSS shared libraries
      -  bin - `NSS Tools <https://www.mozilla.org/projects/security/pki/nss/tools/>`__ and test
         programs

   You also need to download the NSPR 4.7.1 binary distributions to get the NSPR 4.7.1 header files
   and shared libraries, which NSS 3.12 requires. NSPR 4.7.1 binary distributions are in
   https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.7.1/.
   NSS 3.12 libraries have the following versions:

   -  sqlite3: 3.3.17
   -  nssckbi: 1.70
   -  softokn3 and freebl3: 3.12.0.3
   -  other NSS libraries: 3.12.0.3

   --------------

.. _new_in_nss_3.12:

`New in NSS 3.12 <#new_in_nss_3.12>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   -  3 new shared library are shipped with NSS 3.12:

      -  nssutil
      -  sqlite
      -  nssdbm

   -  1 new include file is shipped with NSS3.12:

      -  utilrename.h

   -  New functions in the nss shared library:

      -  CERT_CheckNameSpace (see cert.h)
      -  CERT_EncodeCertPoliciesExtension (see cert.h)
      -  CERT_EncodeInfoAccessExtension (see cert.h)
      -  CERT_EncodeInhibitAnyExtension (see cert.h)
      -  CERT_EncodeNoticeReference (see cert.h)
      -  CERT_EncodePolicyConstraintsExtension (see cert.h)
      -  CERT_EncodePolicyMappingExtension (see cert.h)
      -  CERT_EncodeSubjectKeyID (see certdb/cert.h)
      -  CERT_EncodeUserNotice (see cert.h)
      -  CERT_FindCRLEntryReasonExten (see cert.h)
      -  CERT_FindCRLNumberExten (see cert.h)
      -  CERT_FindNameConstraintsExten (see cert.h)
      -  CERT_GetClassicOCSPDisabledPolicy (see cert.h)
      -  CERT_GetClassicOCSPEnabledHardFailurePolicy (see cert.h)
      -  CERT_GetClassicOCSPEnabledSoftFailurePolicy (see cert.h)
      -  CERT_GetPKIXVerifyNistRevocationPolicy (see cert.h)
      -  CERT_GetUsePKIXForValidation (see cert.h)
      -  CERT_GetValidDNSPatternsFromCert (see cert.h)
      -  CERT_NewTempCertificate (see cert.h)
      -  CERT_SetOCSPTimeout (see certhigh/ocsp.h)
      -  CERT_SetUsePKIXForValidation (see cert.h)
      -  CERT_PKIXVerifyCert (see cert.h)
      -  HASH_GetType (see sechash.h)
      -  NSS_InitWithMerge (see nss.h)
      -  PK11_CreateMergeLog (see pk11pub.h)
      -  PK11_CreateGenericObject (see pk11pub.h)
      -  PK11_CreatePBEV2AlgorithmID (see pk11pub.h)
      -  PK11_DestroyMergeLog (see pk11pub.h)
      -  PK11_GenerateKeyPairWithOpFlags (see pk11pub.h)
      -  PK11_GetPBECryptoMechanism (see pk11pub.h)
      -  PK11_IsRemovable (see pk11pub.h)
      -  PK11_MergeTokens (see pk11pub.h)
      -  PK11_WriteRawAttribute (see pk11pub.h)
      -  SECKEY_ECParamsToBasePointOrderLen (see keyhi.h)
      -  SECKEY_ECParamsToKeySize (see keyhi.h)
      -  SECMOD_DeleteModuleEx (see secmod.h)
      -  SEC_GetRegisteredHttpClient (see ocsp.h)
      -  SEC_PKCS5IsAlgorithmPBEAlgTag (see secpkcs5.h)
      -  VFY_CreateContextDirect (see cryptohi.h)
      -  VFY_CreateContextWithAlgorithmID (see cryptohi.h)
      -  VFY_VerifyDataDirect (see cryptohi.h)
      -  VFY_VerifyDataWithAlgorithmID (see cryptohi.h)
      -  VFY_VerifyDigestDirect (see cryptohi.h)
      -  VFY_VerifyDigestWithAlgorithmID (see cryptohi.h)

   -  New macros for Camellia support (see blapit.h):

      -  NSS_CAMELLIA
      -  NSS_CAMELLIA_CBC
      -  CAMELLIA_BLOCK_SIZE

   -  New macros for RSA (see blapit.h):

      -  RSA_MAX_MODULUS_BITS
      -  RSA_MAX_EXPONENT_BITS

   -  New macros in certt.h:

      -  X.509 v3

         -  KU_ENCIPHER_ONLY
         -  CERT_MAX_SERIAL_NUMBER_BYTES
         -  CERT_MAX_DN_BYTES

      -  PKIX

         -  CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD
         -  CERT_REV_M_TEST_USING_THIS_METHOD
         -  CERT_REV_M_ALLOW_NETWORK_FETCHING
         -  CERT_REV_M_FORBID_NETWORK_FETCHING
         -  CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
         -  CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
         -  CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
         -  CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
         -  CERT_REV_M_IGNORE_MISSING_FRESH_INFO
         -  CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
         -  CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
         -  CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
         -  CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY
         -  CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
         -  CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT
         -  CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
         -  CERT_POLICY_FLAG_NO_MAPPING
         -  CERT_POLICY_FLAG_EXPLICIT
         -  CERT_POLICY_FLAG_NO_ANY
         -  CERT_ENABLE_LDAP_FETCH
         -  CERT_ENABLE_HTTP_FETCH

   -  New macro in utilrename.h:

      -  SMIME_AES_CBC_128

   -  The nssckbi PKCS #11 module's version changed to 1.70.
   -  In pkcs11n.h, all the \_NETSCAPE\_ macros are renamed with \_NSS\_

      -  For example, CKO_NETSCAPE_CRL becomes CKO_NSS_CRL.

   -  New for PKCS #11 (see pkcs11t.h for details):

      -  CKK: Keys

         -  CKK_CAMELLIA

      -  CKM: Mechanisms

         -  CKM_SHA224_RSA_PKCS
         -  CKM_SHA224_RSA_PKCS_PSS
         -  CKM_SHA224
         -  CKM_SHA224_HMAC
         -  CKM_SHA224_HMAC_GENERAL
         -  CKM_SHA224_KEY_DERIVATION
         -  CKM_CAMELLIA_KEY_GEN
         -  CKM_CAMELLIA_ECB
         -  CKM_CAMELLIA_CBC
         -  CKM_CAMELLIA_MAC
         -  CKM_CAMELLIA_MAC_GENERAL
         -  CKM_CAMELLIA_CBC_PAD
         -  CKM_CAMELLIA_ECB_ENCRYPT_DATA
         -  CKM_CAMELLIA_CBC_ENCRYPT_DATA

      -  CKG: MFGs

         -  CKG_MGF1_SHA224

   -  New error codes (see secerr.h):

      -  SEC_ERROR_NOT_INITIALIZED
      -  SEC_ERROR_TOKEN_NOT_LOGGED_IN
      -  SEC_ERROR_OCSP_RESPONDER_CERT_INVALID
      -  SEC_ERROR_OCSP_BAD_SIGNATURE
      -  SEC_ERROR_OUT_OF_SEARCH_LIMITS
      -  SEC_ERROR_INVALID_POLICY_MAPPING
      -  SEC_ERROR_POLICY_VALIDATION_FAILED
      -  SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE
      -  SEC_ERROR_BAD_HTTP_RESPONSE
      -  SEC_ERROR_BAD_LDAP_RESPONSE
      -  SEC_ERROR_FAILED_TO_ENCODE_DATA
      -  SEC_ERROR_BAD_INFO_ACCESS_LOCATION
      -  SEC_ERROR_LIBPKIX_INTERNAL

   -  New mechanism flags (see secmod.h)

      -  PUBLIC_MECH_AES_FLAG
      -  PUBLIC_MECH_SHA256_FLAG
      -  PUBLIC_MECH_SHA512_FLAG
      -  PUBLIC_MECH_CAMELLIA_FLAG

   -  New OIDs (see secoidt.h)

      -  new EC Signature oids

         -  SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST
         -  SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST
         -  SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE
         -  SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE
         -  SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE
         -  SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE

      -  More id-ce and id-pe OIDs from RFC 3280

         -  SEC_OID_X509_HOLD_INSTRUCTION_CODE
         -  SEC_OID_X509_DELTA_CRL_INDICATOR
         -  SEC_OID_X509_ISSUING_DISTRIBUTION_POINT
         -  SEC_OID_X509_CERT_ISSUER
         -  SEC_OID_X509_FRESHEST_CRL
         -  SEC_OID_X509_INHIBIT_ANY_POLICY
         -  SEC_OID_X509_SUBJECT_INFO_ACCESS

      -  Camellia OIDs (RFC3657)

         -  SEC_OID_CAMELLIA_128_CBC
         -  SEC_OID_CAMELLIA_192_CBC
         -  SEC_OID_CAMELLIA_256_CBC

      -  PKCS 5 V2 OIDS

         -  SEC_OID_PKCS5_PBKDF2
         -  SEC_OID_PKCS5_PBES2
         -  SEC_OID_PKCS5_PBMAC1
         -  SEC_OID_HMAC_SHA1
         -  SEC_OID_HMAC_SHA224
         -  SEC_OID_HMAC_SHA256
         -  SEC_OID_HMAC_SHA384
         -  SEC_OID_HMAC_SHA512
         -  SEC_OID_PKIX_TIMESTAMPING
         -  SEC_OID_PKIX_CA_REPOSITORY
         -  SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE

   -  Changed OIDs (see secoidt.h)

      -  SEC_OID_PKCS12_KEY_USAGE changed to SEC_OID_BOGUS_KEY_USAGE
      -  SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST changed to
         SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE
      -  Note: SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST is also kept for compatibility
         reasons.

   -  TLS Session ticket extension (off by default)

      -  See SSL_ENABLE_SESSION_TICKETS in ssl.h

   -  New SSL error codes (see sslerr.h)

      -  SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT
      -  SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT
      -  SSL_ERROR_UNRECOGNIZED_NAME_ALERT
      -  SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT
      -  SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT
      -  SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET
      -  SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET

   -  New TLS cipher suites (see sslproto.h):

      -  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
      -  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
      -  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
      -  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
      -  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
      -  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

   -  Note: the following TLS cipher suites are declared but are not yet implemented:

      -  TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
      -  TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
      -  TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA
      -  TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
      -  TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
      -  TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA
      -  TLS_ECDH_anon_WITH_NULL_SHA
      -  TLS_ECDH_anon_WITH_RC4_128_SHA
      -  TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
      -  TLS_ECDH_anon_WITH_AES_128_CBC_SHA
      -  TLS_ECDH_anon_WITH_AES_256_CBC_SHA

   --------------

.. _bugs_fixed:

`Bugs Fixed <#bugs_fixed>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   The following bugs have been fixed in NSS 3.12.

   -  `Bug 354403 <https://bugzilla.mozilla.org/show_bug.cgi?id=354403>`__: nssList_CreateIterator
      returns pointer to a freed memory if the function fails to allocate a lock
   -  `Bug 399236 <https://bugzilla.mozilla.org/show_bug.cgi?id=399236>`__: pkix wrapper must print
      debug output into stderr
   -  `Bug 399300 <https://bugzilla.mozilla.org/show_bug.cgi?id=399300>`__: PKIX error results not
      freed after use.
   -  `Bug 414985 <https://bugzilla.mozilla.org/show_bug.cgi?id=414985>`__: Crash in
      pkix_pl_OcspRequest_Destroy
   -  `Bug 421870 <https://bugzilla.mozilla.org/show_bug.cgi?id=421870>`__: Strsclnt crashed in PKIX
      tests.
   -  `Bug 429388 <https://bugzilla.mozilla.org/show_bug.cgi?id=429388>`__: vfychain.main leaks
      memory
   -  `Bug 396044 <https://bugzilla.mozilla.org/show_bug.cgi?id=396044>`__: Warning: usage of
      uninitialized variable in ckfw/object.c(174)
   -  `Bug 396045 <https://bugzilla.mozilla.org/show_bug.cgi?id=396045>`__: Warning: usage of
      uninitialized variable in ckfw/mechanism.c(719)
   -  `Bug 401986 <https://bugzilla.mozilla.org/show_bug.cgi?id=401986>`__: Mac OS X leopard build
      failure in legacydb
   -  `Bug 325805 <https://bugzilla.mozilla.org/show_bug.cgi?id=325805>`__: diff considers
      mozilla/security/nss/cmd/pk11util/scripts/pkey a binary file
   -  `Bug 385151 <https://bugzilla.mozilla.org/show_bug.cgi?id=385151>`__: Remove the link time
      dependency from NSS to Softoken
   -  `Bug 387892 <https://bugzilla.mozilla.org/show_bug.cgi?id=387892>`__: Add Entrust root CA
      certificate(s) to NSS
   -  `Bug 433386 <https://bugzilla.mozilla.org/show_bug.cgi?id=433386>`__: when system clock is off
      by more than two days, OSCP check fails, can result in crash if user tries to view certificate
      [[@ SECITEM_CompareItem_Util] [[@ memcmp]
   -  `Bug 396256 <https://bugzilla.mozilla.org/show_bug.cgi?id=396256>`__: certutil and pp do not
      print all the GeneralNames in a CRLDP extension
   -  `Bug 398019 <https://bugzilla.mozilla.org/show_bug.cgi?id=398019>`__: correct confusing and
      erroneous comments in DER_AsciiToTime
   -  `Bug 422866 <https://bugzilla.mozilla.org/show_bug.cgi?id=422866>`__: vfychain -pp command
      crashes in NSS_shutdown
   -  `Bug 345779 <https://bugzilla.mozilla.org/show_bug.cgi?id=345779>`__: Useless assignment
      statements in ec_GF2m_pt_mul_mont
   -  `Bug 349011 <https://bugzilla.mozilla.org/show_bug.cgi?id=349011>`__: please stop exporting
      these crmf\_ symbols
   -  `Bug 397178 <https://bugzilla.mozilla.org/show_bug.cgi?id=397178>`__: Crash when entering
      chrome://pippki/content/resetpassword.xul in URL bar
   -  `Bug 403822 <https://bugzilla.mozilla.org/show_bug.cgi?id=403822>`__:
      pkix_pl_OcspRequest_Create can leave some members uninitialized
   -  `Bug 403910 <https://bugzilla.mozilla.org/show_bug.cgi?id=403910>`__:
      CERT_FindUserCertByUsage() returns wrong certificate if multiple certs with same subject
      available
   -  `Bug 404919 <https://bugzilla.mozilla.org/show_bug.cgi?id=404919>`__: memory leak in
      sftkdb_ReadSecmodDB() (sftkmod.c)
   -  `Bug 406120 <https://bugzilla.mozilla.org/show_bug.cgi?id=406120>`__: Allow application to
      specify OCSP timeout
   -  `Bug 361025 <https://bugzilla.mozilla.org/show_bug.cgi?id=361025>`__: Support for Camellia
      Cipher Suites to TLS RFC4132
   -  `Bug 376417 <https://bugzilla.mozilla.org/show_bug.cgi?id=376417>`__: PK11_GenerateKeyPair
      needs to get the key usage from the caller.
   -  `Bug 391291 <https://bugzilla.mozilla.org/show_bug.cgi?id=391291>`__: Shared Database
      Integrity checks not yet implemented.
   -  `Bug 391292 <https://bugzilla.mozilla.org/show_bug.cgi?id=391292>`__: Shared Database
      implementation slow
   -  `Bug 391294 <https://bugzilla.mozilla.org/show_bug.cgi?id=391294>`__: Shared Database
      implementation really slow on network file systems
   -  `Bug 392521 <https://bugzilla.mozilla.org/show_bug.cgi?id=392521>`__: Automatic shared db
      update fails if user opens database R/W but never supplies a password
   -  `Bug 392522 <https://bugzilla.mozilla.org/show_bug.cgi?id=392522>`__: Integrity hashes must be
      updated when passwords are changed.
   -  `Bug 401610 <https://bugzilla.mozilla.org/show_bug.cgi?id=401610>`__: Shared DB fails on IOPR
      tests
   -  `Bug 388120 <https://bugzilla.mozilla.org/show_bug.cgi?id=388120>`__: build error due to
      SEC_BEGIN_PROTOS / SEC_END_PROTOS are undefined
   -  `Bug 415264 <https://bugzilla.mozilla.org/show_bug.cgi?id=415264>`__: Make Security use of new
      NSPR rotate macros
   -  `Bug 317052 <https://bugzilla.mozilla.org/show_bug.cgi?id=317052>`__: lib/base/whatnspr.c is
      obsolete
   -  `Bug 317323 <https://bugzilla.mozilla.org/show_bug.cgi?id=317323>`__: Set NSPR31_LIB_PREFIX to
      empty explicitly for WIN95 and WINCE builds
   -  `Bug 320336 <https://bugzilla.mozilla.org/show_bug.cgi?id=320336>`__: SECITEM_AllocItem
      returns a non-NULL pointer if the allocation of its 'data' buffer fails
   -  `Bug 327529 <https://bugzilla.mozilla.org/show_bug.cgi?id=327529>`__: Can't pass 0 as an
      unnamed null pointer argument to CERT_CreateRDN
   -  `Bug 334683 <https://bugzilla.mozilla.org/show_bug.cgi?id=334683>`__: Extraneous semicolons
      cause Empty declaration compiler warnings
   -  `Bug 335275 <https://bugzilla.mozilla.org/show_bug.cgi?id=335275>`__: Compile with the GCC
      flag -Werror-implicit-function-declaration
   -  `Bug 354565 <https://bugzilla.mozilla.org/show_bug.cgi?id=354565>`__: fipstest sha_test needs
      to detect SHA tests that are incorrectly configured for BIT oriented implementations
   -  `Bug 356595 <https://bugzilla.mozilla.org/show_bug.cgi?id=356595>`__: On Windows,
      RNG_SystemInfoForRNG calls GetCurrentProcess, which returns the constant (HANDLE)-1.
   -  `Bug 357015 <https://bugzilla.mozilla.org/show_bug.cgi?id=357015>`__: On Windows,
      ReadSystemFiles reads 21 files as opposed to 10 files in C:\WINDOWS\system32.
   -  `Bug 361076 <https://bugzilla.mozilla.org/show_bug.cgi?id=361076>`__: Clean up the
      USE_PTHREADS related code in coreconf/SunOS5.mk.
   -  `Bug 361077 <https://bugzilla.mozilla.org/show_bug.cgi?id=361077>`__: Clean up the
      USE_PTHREADS related code in coreconf/HP-UX*.mk.
   -  `Bug 402114 <https://bugzilla.mozilla.org/show_bug.cgi?id=402114>`__: Fix the incorrect
      function prototypes of SSL handshake callbacks
   -  `Bug 402308 <https://bugzilla.mozilla.org/show_bug.cgi?id=402308>`__: Fix miscellaneous
      compiler warnings in nss/cmd
   -  `Bug 402777 <https://bugzilla.mozilla.org/show_bug.cgi?id=402777>`__: lib/util can't be built
      stand-alone.
   -  `Bug 407866 <https://bugzilla.mozilla.org/show_bug.cgi?id=407866>`__: Contributed improvement
      to security/nss/lib/freebl/mpi/mp_comba.c
   -  `Bug 410587 <https://bugzilla.mozilla.org/show_bug.cgi?id=410587>`__: SSL_GetChannelInfo
      returns SECSuccess on invalid arguments
   -  `Bug 416508 <https://bugzilla.mozilla.org/show_bug.cgi?id=416508>`__: Fix a \_MSC_VER typo in
      sha512.c, and use SEC_BEGIN_PROTOS/SEC_END_PROTOS in secport.h
   -  `Bug 419242 <https://bugzilla.mozilla.org/show_bug.cgi?id=419242>`__: 'all' is not the default
      makefile target in lib/softoken and lib/softoken/legacydb
   -  `Bug 419523 <https://bugzilla.mozilla.org/show_bug.cgi?id=419523>`__: Export
      Cert_NewTempCertificate.
   -  `Bug 287061 <https://bugzilla.mozilla.org/show_bug.cgi?id=287061>`__: CRL number should be a
      big integer, not ulong
   -  `Bug 301213 <https://bugzilla.mozilla.org/show_bug.cgi?id=301213>`__: Combine internal libpkix
      function tests into a single statically linked program
   -  `Bug 324740 <https://bugzilla.mozilla.org/show_bug.cgi?id=324740>`__: add generation of SIA
      and AIA extensions to certutil
   -  `Bug 339737 <https://bugzilla.mozilla.org/show_bug.cgi?id=339737>`__: LIBPKIX OCSP checking
      calls CERT_VerifyCert
   -  `Bug 358785 <https://bugzilla.mozilla.org/show_bug.cgi?id=358785>`__: Merge NSS_LIBPKIX_BRANCH
      back to trunk
   -  `Bug 365966 <https://bugzilla.mozilla.org/show_bug.cgi?id=365966>`__: infinite recursive call
      in VFY_VerifyDigestDirect
   -  `Bug 382078 <https://bugzilla.mozilla.org/show_bug.cgi?id=382078>`__: pkix default http client
      returns error when try to get an ocsp response.
   -  `Bug 384926 <https://bugzilla.mozilla.org/show_bug.cgi?id=384926>`__: libpkix build problems
   -  `Bug 389411 <https://bugzilla.mozilla.org/show_bug.cgi?id=389411>`__: Mingw build error -
      undefined reference to \`_imp__PKIX_ERRORNAMES'
   -  `Bug 389904 <https://bugzilla.mozilla.org/show_bug.cgi?id=389904>`__: avoid multiple
      decoding/encoding while creating and using PKIX_PL_X500Name
   -  `Bug 390209 <https://bugzilla.mozilla.org/show_bug.cgi?id=390209>`__: pkix AIA manager tries
      to get certs using AIA url with OCSP access method
   -  `Bug 390233 <https://bugzilla.mozilla.org/show_bug.cgi?id=390233>`__: umbrella bug for libPKIX
      cert validation failures discovered from running vfyserv
   -  `Bug 390499 <https://bugzilla.mozilla.org/show_bug.cgi?id=390499>`__: libpkix does not check
      cached cert chain for revocation
   -  `Bug 390502 <https://bugzilla.mozilla.org/show_bug.cgi?id=390502>`__: libpkix fails cert
      validation when no valid CRL (NIST validation policy is always enforced)
   -  `Bug 390530 <https://bugzilla.mozilla.org/show_bug.cgi?id=390530>`__: libpkix does not support
      time override
   -  `Bug 390536 <https://bugzilla.mozilla.org/show_bug.cgi?id=390536>`__: Cert validation
      functions must validate leaf cert themselves
   -  `Bug 390554 <https://bugzilla.mozilla.org/show_bug.cgi?id=390554>`__: all PKIX_NULLCHECK\_
      errors are reported as PKIX ALLOC ERROR
   -  `Bug 390888 <https://bugzilla.mozilla.org/show_bug.cgi?id=390888>`__: CERT_Verify\* functions
      should be able to use libPKIX
   -  `Bug 391457 <https://bugzilla.mozilla.org/show_bug.cgi?id=391457>`__: libpkix does not check
      for object ref leak at shutdown
   -  `Bug 391774 <https://bugzilla.mozilla.org/show_bug.cgi?id=391774>`__: PKIX_Shutdown is not
      called by nssinit.c
   -  `Bug 393174 <https://bugzilla.mozilla.org/show_bug.cgi?id=393174>`__: Memory leaks in
      ocspclnt/PKIX.
   -  `Bug 395093 <https://bugzilla.mozilla.org/show_bug.cgi?id=395093>`__:
      pkix_pl_HttpCertStore_ProcessCertResponse is unable to process certs in DER format
   -  `Bug 395224 <https://bugzilla.mozilla.org/show_bug.cgi?id=395224>`__: Don't reject certs with
      critical NetscapeCertType extensions in libPKIX
   -  `Bug 395427 <https://bugzilla.mozilla.org/show_bug.cgi?id=395427>`__: PKIX_PL_Initialize must
      not call NSS_Init
   -  `Bug 395850 <https://bugzilla.mozilla.org/show_bug.cgi?id=395850>`__: build of libpkix tests
      creates links to nonexistant shared libraries and breaks windows build
   -  `Bug 398401 <https://bugzilla.mozilla.org/show_bug.cgi?id=398401>`__: Memory leak in PKIX
      init.
   -  `Bug 399326 <https://bugzilla.mozilla.org/show_bug.cgi?id=399326>`__: libpkix is unable to
      validate cert for certUsageStatusResponder
   -  `Bug 400947 <https://bugzilla.mozilla.org/show_bug.cgi?id=400947>`__: thread unsafe operation
      in PKIX_PL_HashTable_Add cause selfserv to crash.
   -  `Bug 402773 <https://bugzilla.mozilla.org/show_bug.cgi?id=402773>`__: Verify the list of
      public header files in NSS 3.12
   -  `Bug 403470 <https://bugzilla.mozilla.org/show_bug.cgi?id=403470>`__: Strsclnt + tstclnt
      crashes when PKIX enabled.
   -  `Bug 403685 <https://bugzilla.mozilla.org/show_bug.cgi?id=403685>`__: Application crashes
      after having called CERT_PKIXVerifyCert
   -  `Bug 408434 <https://bugzilla.mozilla.org/show_bug.cgi?id=408434>`__: Crash with PKIX based
      verify
   -  `Bug 411614 <https://bugzilla.mozilla.org/show_bug.cgi?id=411614>`__: Explicit Policy does not
      seem to work.
   -  `Bug 417024 <https://bugzilla.mozilla.org/show_bug.cgi?id=417024>`__: Convert libpkix error
      code into nss error code
   -  `Bug 422859 <https://bugzilla.mozilla.org/show_bug.cgi?id=422859>`__: libPKIX builds &
      validates chain to root not in the caller-provided anchor list
   -  `Bug 425516 <https://bugzilla.mozilla.org/show_bug.cgi?id=425516>`__: need to destroy data
      pointed by CERTValOutParam array in case of error
   -  `Bug 426450 <https://bugzilla.mozilla.org/show_bug.cgi?id=426450>`__: PKIX_PL_HashTable_Remove
      leaks hashtable key object
   -  `Bug 429230 <https://bugzilla.mozilla.org/show_bug.cgi?id=429230>`__: memory leak in
      pkix_CheckCert function
   -  `Bug 392696 <https://bugzilla.mozilla.org/show_bug.cgi?id=392696>`__: Fix copyright
      boilerplate in all new PKIX code
   -  `Bug 300928 <https://bugzilla.mozilla.org/show_bug.cgi?id=300928>`__: Integrate libpkix to NSS
   -  `Bug 303457 <https://bugzilla.mozilla.org/show_bug.cgi?id=303457>`__: extensions newly
      supported in libpkix must be marked supported
   -  `Bug 331096 <https://bugzilla.mozilla.org/show_bug.cgi?id=331096>`__: NSS Softoken must detect
      forks on all unix-ish platforms
   -  `Bug 390710 <https://bugzilla.mozilla.org/show_bug.cgi?id=390710>`__:
      CERTNameConstraintsTemplate is incorrect
   -  `Bug 416928 <https://bugzilla.mozilla.org/show_bug.cgi?id=416928>`__: DER decode error on this
      policy extension
   -  `Bug 375019 <https://bugzilla.mozilla.org/show_bug.cgi?id=375019>`__: Cache-enable
      pkix_OcspChecker_Check
   -  `Bug 391454 <https://bugzilla.mozilla.org/show_bug.cgi?id=391454>`__: libPKIX does not honor
      NSS's override trust flags
   -  `Bug 403682 <https://bugzilla.mozilla.org/show_bug.cgi?id=403682>`__: CERT_PKIXVerifyCert
      never succeeds
   -  `Bug 324744 <https://bugzilla.mozilla.org/show_bug.cgi?id=324744>`__: add generation of policy
      extensions to certutil
   -  `Bug 390973 <https://bugzilla.mozilla.org/show_bug.cgi?id=390973>`__: Add long option names to
      SECU_ParseCommandLine
   -  `Bug 161326 <https://bugzilla.mozilla.org/show_bug.cgi?id=161326>`__: need API to convert
      dotted OID format to/from octet representation
   -  `Bug 376737 <https://bugzilla.mozilla.org/show_bug.cgi?id=376737>`__: CERT_ImportCerts
      routinely sets VALID_PEER or VALID_CA OVERRIDE trust flags
   -  `Bug 390381 <https://bugzilla.mozilla.org/show_bug.cgi?id=390381>`__: libpkix rejects cert
      chain when root CA cert has no basic constraints
   -  `Bug 391183 <https://bugzilla.mozilla.org/show_bug.cgi?id=391183>`__: rename libPKIX error
      string number type to pkix error number types
   -  `Bug 397122 <https://bugzilla.mozilla.org/show_bug.cgi?id=397122>`__: NSS 3.12 alpha treats a
      key3.db with no global salt as having no password
   -  `Bug 405966 <https://bugzilla.mozilla.org/show_bug.cgi?id=405966>`__: Unknown signature OID
      1.3.14.3.2.29 causes sec_error_bad_signature, 3.11 ignores it
   -  `Bug 413010 <https://bugzilla.mozilla.org/show_bug.cgi?id=413010>`__: CERT_CompareRDN may
      return a false match
   -  `Bug 417664 <https://bugzilla.mozilla.org/show_bug.cgi?id=417664>`__: false positive crl
      revocation test on ppc/ppc64 NSS_ENABLE_PKIX_VERIFY=1
   -  `Bug 404526 <https://bugzilla.mozilla.org/show_bug.cgi?id=404526>`__: glibc detected free():
      invalid pointer
   -  `Bug 300929 <https://bugzilla.mozilla.org/show_bug.cgi?id=300929>`__: Certificate Policy
      extensions not supported
   -  `Bug 129303 <https://bugzilla.mozilla.org/show_bug.cgi?id=129303>`__: NSS needs to expose
      interfaces to deal with multiple token sources of certs.
   -  `Bug 217538 <https://bugzilla.mozilla.org/show_bug.cgi?id=217538>`__: softoken databases
      cannot be shared between multiple processes
   -  `Bug 294531 <https://bugzilla.mozilla.org/show_bug.cgi?id=294531>`__: Design new interfaces
      for certificate path building and verification for libPKIX
   -  `Bug 326482 <https://bugzilla.mozilla.org/show_bug.cgi?id=326482>`__: NSS ECC performance
      problems (intel)
   -  `Bug 391296 <https://bugzilla.mozilla.org/show_bug.cgi?id=391296>`__: Need an update helper
      for Shared Databases
   -  `Bug 395090 <https://bugzilla.mozilla.org/show_bug.cgi?id=395090>`__: remove duplication of
      pkcs7 code from pkix_pl_httpcertstore.c
   -  `Bug 401026 <https://bugzilla.mozilla.org/show_bug.cgi?id=401026>`__: Need to provide a way to
      modify and create new PKCS #11 objects.
   -  `Bug 403680 <https://bugzilla.mozilla.org/show_bug.cgi?id=403680>`__: CERT_PKIXVerifyCert
      fails if CRLs are missing, implement cert_pi_revocationFlags
   -  `Bug 427706 <https://bugzilla.mozilla.org/show_bug.cgi?id=427706>`__: NSS_3_12_RC1 crashes in
      passwordmgr tests
   -  `Bug 426245 <https://bugzilla.mozilla.org/show_bug.cgi?id=426245>`__: Assertion failure went
      undetected by tinderbox
   -  `Bug 158242 <https://bugzilla.mozilla.org/show_bug.cgi?id=158242>`__: PK11_PutCRL is very
      memory inefficient
   -  `Bug 287563 <https://bugzilla.mozilla.org/show_bug.cgi?id=287563>`__: Please make
      cert_CompareNameWithConstraints a non-static function
   -  `Bug 301496 <https://bugzilla.mozilla.org/show_bug.cgi?id=301496>`__: NSS_Shutdown failure in
      p7sign
   -  `Bug 324878 <https://bugzilla.mozilla.org/show_bug.cgi?id=324878>`__: crlutil -L outputs false
      CRL names
   -  `Bug 337010 <https://bugzilla.mozilla.org/show_bug.cgi?id=337010>`__: OOM crash [[@
      NSC_DigestKey] Dereferencing possibly NULL att
   -  `Bug 343231 <https://bugzilla.mozilla.org/show_bug.cgi?id=343231>`__: certutil issues certs
      for invalid requests
   -  `Bug 353371 <https://bugzilla.mozilla.org/show_bug.cgi?id=353371>`__: Klocwork 91117 - Null
      Pointer Dereference in CERT_CertChainFromCert
   -  `Bug 353374 <https://bugzilla.mozilla.org/show_bug.cgi?id=353374>`__: Klocwork 76494 - Null
      ptr derefs in CERT_FormatName
   -  `Bug 353375 <https://bugzilla.mozilla.org/show_bug.cgi?id=353375>`__: Klocwork 76513 - Null
      ptr deref in nssCertificateList_DoCallback
   -  `Bug 353413 <https://bugzilla.mozilla.org/show_bug.cgi?id=353413>`__: Klocwork 76541 free
      uninitialized pointer in CERT_FindCertURLExtension
   -  `Bug 353416 <https://bugzilla.mozilla.org/show_bug.cgi?id=353416>`__: Klocwork 76593 null ptr
      deref in nssCryptokiPrivateKey_SetCertificate
   -  `Bug 353423 <https://bugzilla.mozilla.org/show_bug.cgi?id=353423>`__: Klocwork bugs in
      nss/lib/pk11wrap/dev3hack.c
   -  `Bug 353739 <https://bugzilla.mozilla.org/show_bug.cgi?id=353739>`__: Klocwork Null ptr
      dereferences in instance.c
   -  `Bug 353741 <https://bugzilla.mozilla.org/show_bug.cgi?id=353741>`__: klocwork cascading
      memory leak in mpp_make_prime
   -  `Bug 353742 <https://bugzilla.mozilla.org/show_bug.cgi?id=353742>`__: klocwork null ptr
      dereference in ocsp_DecodeResponseBytes
   -  `Bug 353748 <https://bugzilla.mozilla.org/show_bug.cgi?id=353748>`__: klocwork null ptr
      dereferences in pki3hack.c
   -  `Bug 353760 <https://bugzilla.mozilla.org/show_bug.cgi?id=353760>`__: klocwork null pointer
      dereference in p7decode.c
   -  `Bug 353763 <https://bugzilla.mozilla.org/show_bug.cgi?id=353763>`__: klocwork Null ptr
      dereferences in pk11cert.c
   -  `Bug 353773 <https://bugzilla.mozilla.org/show_bug.cgi?id=353773>`__: klocwork Null ptr
      dereferences in pk11nobj.c
   -  `Bug 353777 <https://bugzilla.mozilla.org/show_bug.cgi?id=353777>`__: Klocwork Null ptr
      dereferences in pk11obj.c
   -  `Bug 353780 <https://bugzilla.mozilla.org/show_bug.cgi?id=353780>`__: Klocwork NULL ptr
      dereferences in pkcs11.c
   -  `Bug 353865 <https://bugzilla.mozilla.org/show_bug.cgi?id=353865>`__: klocwork Null ptr deref
      in softoken/pk11db.c
   -  `Bug 353888 <https://bugzilla.mozilla.org/show_bug.cgi?id=353888>`__: klockwork IDs for
      ssl3con.c
   -  `Bug 353895 <https://bugzilla.mozilla.org/show_bug.cgi?id=353895>`__: klocwork Null ptr derefs
      in pki/pkibase.c
   -  `Bug 353902 <https://bugzilla.mozilla.org/show_bug.cgi?id=353902>`__: klocwork bugs in
      stanpcertdb.c
   -  `Bug 353903 <https://bugzilla.mozilla.org/show_bug.cgi?id=353903>`__: klocwork oom crash in
      softoken/keydb.c
   -  `Bug 353908 <https://bugzilla.mozilla.org/show_bug.cgi?id=353908>`__: klocwork OOM crash in
      tdcache.c
   -  `Bug 353909 <https://bugzilla.mozilla.org/show_bug.cgi?id=353909>`__: klocwork ptr dereference
      before NULL check in devutil.c
   -  `Bug 353912 <https://bugzilla.mozilla.org/show_bug.cgi?id=353912>`__: Misc klocwork bugs in
      lib/ckfw
   -  `Bug 354008 <https://bugzilla.mozilla.org/show_bug.cgi?id=354008>`__: klocwork bugs in freebl
   -  `Bug 359331 <https://bugzilla.mozilla.org/show_bug.cgi?id=359331>`__: modutil -changepw strict
      shutdown failure
   -  `Bug 373367 <https://bugzilla.mozilla.org/show_bug.cgi?id=373367>`__: verify OCSP response
      signature in libpkix without decoding and reencoding
   -  `Bug 390542 <https://bugzilla.mozilla.org/show_bug.cgi?id=390542>`__: libpkix fails to
      validate a chain that consists only of one self issued, trusted cert
   -  `Bug 390728 <https://bugzilla.mozilla.org/show_bug.cgi?id=390728>`__:
      pkix_pl_OcspRequest_Create throws an error if it was not able to get AIA location
   -  `Bug 397825 <https://bugzilla.mozilla.org/show_bug.cgi?id=397825>`__: libpkix: ifdef code that
      uses user object types
   -  `Bug 397832 <https://bugzilla.mozilla.org/show_bug.cgi?id=397832>`__: libpkix leaks memory if
      a macro calls a function that returns an error
   -  `Bug 402727 <https://bugzilla.mozilla.org/show_bug.cgi?id=402727>`__: functions responsible
      for creating an object leak if subsequent function code produces an error
   -  `Bug 402731 <https://bugzilla.mozilla.org/show_bug.cgi?id=402731>`__:
      pkix_pl_Pk11CertStore_CrlQuery will crash if fails to acquire DP cache.
   -  `Bug 406647 <https://bugzilla.mozilla.org/show_bug.cgi?id=406647>`__: libpkix does not use
      user defined revocation checkers
   -  `Bug 407064 <https://bugzilla.mozilla.org/show_bug.cgi?id=407064>`__:
      pkix_pl_LdapCertStore_BuildCrlList should not fail if a crl fails to be decoded
   -  `Bug 421216 <https://bugzilla.mozilla.org/show_bug.cgi?id=421216>`__: libpkix test nss_thread
      leaks a test certificate
   -  `Bug 301259 <https://bugzilla.mozilla.org/show_bug.cgi?id=301259>`__: signtool Usage message
      is unhelpful
   -  `Bug 389781 <https://bugzilla.mozilla.org/show_bug.cgi?id=389781>`__: NSS should be built
      size-optimized in browser builds on Linux, Windows, and Mac
   -  `Bug 90426 <https://bugzilla.mozilla.org/show_bug.cgi?id=90426>`__: use of obsolete typedefs
      in public NSS headers
   -  `Bug 113323 <https://bugzilla.mozilla.org/show_bug.cgi?id=113323>`__: The first argument to
      PK11_FindCertFromNickname should be const.
   -  `Bug 132485 <https://bugzilla.mozilla.org/show_bug.cgi?id=132485>`__: built-in root certs slot
      description is empty
   -  `Bug 177184 <https://bugzilla.mozilla.org/show_bug.cgi?id=177184>`__: NSS_CMSDecoder_Cancel
      might have a leak
   -  `Bug 232392 <https://bugzilla.mozilla.org/show_bug.cgi?id=232392>`__: Erroneous root CA tests
      in NSS Libraries
   -  `Bug 286642 <https://bugzilla.mozilla.org/show_bug.cgi?id=286642>`__: util should be in a
      shared library
   -  `Bug 287052 <https://bugzilla.mozilla.org/show_bug.cgi?id=287052>`__: Function to get CRL
      Entry reason code has incorrect prototype and implementation
   -  `Bug 299308 <https://bugzilla.mozilla.org/show_bug.cgi?id=299308>`__: Need additional APIs in
      the CRL cache for libpkix
   -  `Bug 335039 <https://bugzilla.mozilla.org/show_bug.cgi?id=335039>`__:
      nssCKFWCryptoOperation_UpdateCombo is not declared
   -  `Bug 340917 <https://bugzilla.mozilla.org/show_bug.cgi?id=340917>`__: crlutil should init NSS
      read-only for some options
   -  `Bug 350948 <https://bugzilla.mozilla.org/show_bug.cgi?id=350948>`__: freebl macro change can
      give 1% improvement in RSA performance on amd64
   -  `Bug 352439 <https://bugzilla.mozilla.org/show_bug.cgi?id=352439>`__: Reference leaks in
      modutil
   -  `Bug 369144 <https://bugzilla.mozilla.org/show_bug.cgi?id=369144>`__: certutil needs option to
      generate SubjectKeyID extension
   -  `Bug 391771 <https://bugzilla.mozilla.org/show_bug.cgi?id=391771>`__: pk11_config_name and
      pk11_config_strings leaked on shutdown
   -  `Bug 401194 <https://bugzilla.mozilla.org/show_bug.cgi?id=401194>`__: crash in lg_FindObjects
      on win64
   -  `Bug 405652 <https://bugzilla.mozilla.org/show_bug.cgi?id=405652>`__: In the TLS ClientHello
      message the gmt_unix_time is incorrect
   -  `Bug 424917 <https://bugzilla.mozilla.org/show_bug.cgi?id=424917>`__: Performance regression
      with studio 12 compiler
   -  `Bug 391770 <https://bugzilla.mozilla.org/show_bug.cgi?id=391770>`__: OCSP_Global.monitor is
      leaked on shutdown
   -  `Bug 403687 <https://bugzilla.mozilla.org/show_bug.cgi?id=403687>`__: move pkix functions to
      certvfypkix.c, turn off EV_TEST_HACK
   -  `Bug 428105 <https://bugzilla.mozilla.org/show_bug.cgi?id=428105>`__: CERT_SetOCSPTimeout is
      not defined in any public header file
   -  `Bug 213359 <https://bugzilla.mozilla.org/show_bug.cgi?id=213359>`__: enhance PK12util to
      extract certs from p12 file
   -  `Bug 329067 <https://bugzilla.mozilla.org/show_bug.cgi?id=329067>`__: NSS encodes cert
      distinguished name attributes with wrong string type
   -  `Bug 339906 <https://bugzilla.mozilla.org/show_bug.cgi?id=339906>`__: sec_pkcs12_install_bags
      passes uninitialized variables to functions
   -  `Bug 396484 <https://bugzilla.mozilla.org/show_bug.cgi?id=396484>`__: certutil doesn't
      truncate existing temporary files when writing them
   -  `Bug 251594 <https://bugzilla.mozilla.org/show_bug.cgi?id=251594>`__: Certificate from PKCS#12
      file with colon in friendlyName not selectable for signing/encryption
   -  `Bug 321584 <https://bugzilla.mozilla.org/show_bug.cgi?id=321584>`__: NSS PKCS12 decoder fails
      to import bags without nicknames
   -  `Bug 332633 <https://bugzilla.mozilla.org/show_bug.cgi?id=332633>`__: remove duplicate header
      files in nss/cmd/sslsample
   -  `Bug 335019 <https://bugzilla.mozilla.org/show_bug.cgi?id=335019>`__: pk12util takes friendly
      name from key, not cert
   -  `Bug 339173 <https://bugzilla.mozilla.org/show_bug.cgi?id=339173>`__: mem leak whenever
      SECMOD_HANDLE_STRING_ARG called in loop
   -  `Bug 353904 <https://bugzilla.mozilla.org/show_bug.cgi?id=353904>`__: klocwork Null ptr deref
      in secasn1d.c
   -  `Bug 366390 <https://bugzilla.mozilla.org/show_bug.cgi?id=366390>`__: correct misleading
      function names in fipstest
   -  `Bug 370536 <https://bugzilla.mozilla.org/show_bug.cgi?id=370536>`__: Memory leaks in pointer
      tracker code in DEBUG builds only
   -  `Bug 372242 <https://bugzilla.mozilla.org/show_bug.cgi?id=372242>`__: CERT_CompareRDN uses
      incorrect algorithm
   -  `Bug 379753 <https://bugzilla.mozilla.org/show_bug.cgi?id=379753>`__: S/MIME should support
      AES
   -  `Bug 381375 <https://bugzilla.mozilla.org/show_bug.cgi?id=381375>`__: ocspclnt doesn't work on
      Windows
   -  `Bug 398693 <https://bugzilla.mozilla.org/show_bug.cgi?id=398693>`__: DER_AsciiToTime produces
      incorrect output for dates 1950-1970
   -  `Bug 420212 <https://bugzilla.mozilla.org/show_bug.cgi?id=420212>`__: Empty cert DNs handled
      badly, display as !INVALID AVA!
   -  `Bug 420979 <https://bugzilla.mozilla.org/show_bug.cgi?id=420979>`__: vfychain ignores -b TIME
      option when -p option is present
   -  `Bug 403563 <https://bugzilla.mozilla.org/show_bug.cgi?id=403563>`__: Implement the TLS
      session ticket extension (STE)
   -  `Bug 400917 <https://bugzilla.mozilla.org/show_bug.cgi?id=400917>`__: Want exported function
      that outputs all host names for DNS name matching
   -  `Bug 315643 <https://bugzilla.mozilla.org/show_bug.cgi?id=315643>`__:
      test_buildchain_resourcelimits won't build
   -  `Bug 353745 <https://bugzilla.mozilla.org/show_bug.cgi?id=353745>`__: klocwork null ptr
      dereference in PKCS12 decoder
   -  `Bug 338367 <https://bugzilla.mozilla.org/show_bug.cgi?id=338367>`__: The GF2M_POPULATE and
      GFP_POPULATE should check the ecCurve_map array index bounds before use
   -  `Bug 201139 <https://bugzilla.mozilla.org/show_bug.cgi?id=201139>`__: SSLTap should display
      plain text for NULL cipher suites
   -  `Bug 233806 <https://bugzilla.mozilla.org/show_bug.cgi?id=233806>`__: Support NIST CRL policy
   -  `Bug 279085 <https://bugzilla.mozilla.org/show_bug.cgi?id=279085>`__: NSS tools display public
      exponent as negative number
   -  `Bug 363480 <https://bugzilla.mozilla.org/show_bug.cgi?id=363480>`__: ocspclnt needs option to
      take cert from specified file
   -  `Bug 265715 <https://bugzilla.mozilla.org/show_bug.cgi?id=265715>`__: remove unused hsearch.c
      DBM code
   -  `Bug 337361 <https://bugzilla.mozilla.org/show_bug.cgi?id=337361>`__: Leaks in jar_parse_any
      (security/nss/lib/jar/jarver.c)
   -  `Bug 338453 <https://bugzilla.mozilla.org/show_bug.cgi?id=338453>`__: Leaks in
      security/nss/lib/jar/jarfile.c
   -  `Bug 351408 <https://bugzilla.mozilla.org/show_bug.cgi?id=351408>`__: Leaks in
      JAR_JAR_sign_archive (security/nss/lib/jar/jarjart.c)
   -  `Bug 351443 <https://bugzilla.mozilla.org/show_bug.cgi?id=351443>`__: Remove unused code from
      mozilla/security/nss/lib/jar
   -  `Bug 351510 <https://bugzilla.mozilla.org/show_bug.cgi?id=351510>`__: Remove USE_MOZ_THREAD
      code from mozilla/security/lib/jar
   -  `Bug 118830 <https://bugzilla.mozilla.org/show_bug.cgi?id=118830>`__: NSS public header files
      should be C++ safe
   -  `Bug 123996 <https://bugzilla.mozilla.org/show_bug.cgi?id=123996>`__: certutil -H doesn't
      document certutil -C -a
   -  `Bug 178894 <https://bugzilla.mozilla.org/show_bug.cgi?id=178894>`__: Quick decoder updates
      for lib/certdb and lib/certhigh
   -  `Bug 220115 <https://bugzilla.mozilla.org/show_bug.cgi?id=220115>`__: CKM_INVALID_MECHANISM
      should be an unsigned long constant.
   -  `Bug 330721 <https://bugzilla.mozilla.org/show_bug.cgi?id=330721>`__: Remove OS/2 VACPP
      compiler support from NSS
   -  `Bug 408260 <https://bugzilla.mozilla.org/show_bug.cgi?id=408260>`__: certutil usage doesn't
      give enough information about trust arguments
   -  `Bug 410226 <https://bugzilla.mozilla.org/show_bug.cgi?id=410226>`__: leak in
      create_objects_from_handles
   -  `Bug 415007 <https://bugzilla.mozilla.org/show_bug.cgi?id=415007>`__:
      PK11_FindCertFromDERSubjectAndNickname is dead code
   -  `Bug 416267 <https://bugzilla.mozilla.org/show_bug.cgi?id=416267>`__: compiler warnings on
      solaris due to extra semicolon in SEC_ASN1_MKSUB
   -  `Bug 419763 <https://bugzilla.mozilla.org/show_bug.cgi?id=419763>`__: logger thread should be
      joined on exit
   -  `Bug 424471 <https://bugzilla.mozilla.org/show_bug.cgi?id=424471>`__: counter overflow in
      bltest
   -  `Bug 229335 <https://bugzilla.mozilla.org/show_bug.cgi?id=229335>`__: Remove certificates that
      expired in August 2004 from tree
   -  `Bug 346551 <https://bugzilla.mozilla.org/show_bug.cgi?id=346551>`__: init SECItem derTemp in
      crmf_encode_popoprivkey
   -  `Bug 395080 <https://bugzilla.mozilla.org/show_bug.cgi?id=395080>`__: Double backslash in
      sysDir filenames causes problems on OS/2
   -  `Bug 341371 <https://bugzilla.mozilla.org/show_bug.cgi?id=341371>`__: certutil lacks a way to
      request a certificate with an existing key
   -  `Bug 382292 <https://bugzilla.mozilla.org/show_bug.cgi?id=382292>`__: add support for Camellia
      to cmd/symkeyutil
   -  `Bug 385642 <https://bugzilla.mozilla.org/show_bug.cgi?id=385642>`__: Add additional cert
      usage(s) for certutil's -V -u option
   -  `Bug 175741 <https://bugzilla.mozilla.org/show_bug.cgi?id=175741>`__: strict aliasing bugs in
      mozilla/dbm
   -  `Bug 210584 <https://bugzilla.mozilla.org/show_bug.cgi?id=210584>`__: CERT_AsciiToName doesn't
      accept all valid values
   -  `Bug 298540 <https://bugzilla.mozilla.org/show_bug.cgi?id=298540>`__: vfychain usage option
      should be improved and documented
   -  `Bug 323570 <https://bugzilla.mozilla.org/show_bug.cgi?id=323570>`__: Make dbck Debug mode
      work with Softoken
   -  `Bug 371470 <https://bugzilla.mozilla.org/show_bug.cgi?id=371470>`__: vfychain needs option to
      verify for specific date
   -  `Bug 387621 <https://bugzilla.mozilla.org/show_bug.cgi?id=387621>`__: certutil's random noise
      generator isn't very efficient
   -  `Bug 390185 <https://bugzilla.mozilla.org/show_bug.cgi?id=390185>`__: signtool error message
      wrongly uses the term database
   -  `Bug 391651 <https://bugzilla.mozilla.org/show_bug.cgi?id=391651>`__: Need config.mk file for
      Windows Vista
   -  `Bug 396322 <https://bugzilla.mozilla.org/show_bug.cgi?id=396322>`__: Fix secutil's code and
      NSS tools that print public keys
   -  `Bug 417641 <https://bugzilla.mozilla.org/show_bug.cgi?id=417641>`__: miscellaneous minor NSS
      bugs
   -  `Bug 334914 <https://bugzilla.mozilla.org/show_bug.cgi?id=334914>`__: hopefully useless null
      check of out it in JAR_find_next
   -  `Bug 95323 <https://bugzilla.mozilla.org/show_bug.cgi?id=95323>`__: ckfw should support cipher
      operations.
   -  `Bug 337088 <https://bugzilla.mozilla.org/show_bug.cgi?id=337088>`__: Coverity 405,
      PK11_ParamToAlgid() in mozilla/security/nss/lib/pk11wrap/pk11mech.c
   -  `Bug 339907 <https://bugzilla.mozilla.org/show_bug.cgi?id=339907>`__: oaep_xor_with_h1
      allocates and leaks sha1cx
   -  `Bug 341122 <https://bugzilla.mozilla.org/show_bug.cgi?id=341122>`__: Coverity 633
      SFTK_DestroySlotData uses slot->slotLock then checks it for NULL
   -  `Bug 351140 <https://bugzilla.mozilla.org/show_bug.cgi?id=351140>`__: Coverity 995, potential
      crash in ecgroup_fromNameAndHex
   -  `Bug 362278 <https://bugzilla.mozilla.org/show_bug.cgi?id=362278>`__: lib/util includes header
      files from other NSS directories
   -  `Bug 228190 <https://bugzilla.mozilla.org/show_bug.cgi?id=228190>`__: Remove unnecessary
      NSS_ENABLE_ECC defines from manifest.mn
   -  `Bug 412906 <https://bugzilla.mozilla.org/show_bug.cgi?id=412906>`__: remove sha.c and sha.h
      from lib/freebl
   -  `Bug 353543 <https://bugzilla.mozilla.org/show_bug.cgi?id=353543>`__: valgrind uninitialized
      memory read in nssPKIObjectCollection_AddInstances
   -  `Bug 377548 <https://bugzilla.mozilla.org/show_bug.cgi?id=377548>`__: NSS QA test program
      certutil's default DSA prime is only 512 bits
   -  `Bug 333405 <https://bugzilla.mozilla.org/show_bug.cgi?id=333405>`__: item cleanup is unused
      DEADCODE in SECITEM_AllocItem loser
   -  `Bug 288730 <https://bugzilla.mozilla.org/show_bug.cgi?id=288730>`__: compiler warnings in
      certutil
   -  `Bug 337251 <https://bugzilla.mozilla.org/show_bug.cgi?id=337251>`__: warning: /\* within
      comment
   -  `Bug 362967 <https://bugzilla.mozilla.org/show_bug.cgi?id=362967>`__: export
      SECMOD_DeleteModuleEx
   -  `Bug 389248 <https://bugzilla.mozilla.org/show_bug.cgi?id=389248>`__: NSS build failure when
      NSS_ENABLE_ECC is not defined
   -  `Bug 390451 <https://bugzilla.mozilla.org/show_bug.cgi?id=390451>`__: Remembered passwords
      lost when changing Master Password
   -  `Bug 418546 <https://bugzilla.mozilla.org/show_bug.cgi?id=418546>`__: reference leak in
      CERT_PKIXVerifyCert
   -  `Bug 390074 <https://bugzilla.mozilla.org/show_bug.cgi?id=390074>`__: OS/2 sign.cmd doesn't
      find sqlite3.dll
   -  `Bug 417392 <https://bugzilla.mozilla.org/show_bug.cgi?id=417392>`__: certutil -L -n reports
      bogus trust flags

   --------------

`Documentation <#documentation>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   For a list of the primary NSS documentation pages on mozilla.org, see `NSS
   Documentation <../index.html#Documentation>`__. New and revised documents available since the
   release of NSS 3.11 include the following:

   -  :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`
   -  `NSS Shared DB <http://wiki.mozilla.org/NSS_Shared_DB>`__
   -  :ref:`mozilla_projects_nss_reference_nss_environment_variables`

   --------------

`Compatibility <#compatibility>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   NSS 3.12 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
   program linked with older NSS 3.x shared libraries will work with NSS 3.12 shared libraries
   without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
   to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain
   compatible with future versions of the NSS shared libraries.

   --------------

`Feedback <#feedback>`__
~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   Bugs discovered should be reported by filing a bug report with `mozilla.org
   Bugzilla <https://bugzilla.mozilla.org/>`__\ (product NSS).