Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8148501

Upgrade NSS library used in tests to 3.27.1

    Details

      Description

      See jdk/test/sun/security/pkcs11/nss, currently we are using version 3.16 which is quite old. There are following notable changes in releases after this. These will be useful to cover addition test scenarios: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

      Notable changes in 3.18
      =======================
      - The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from DTLS 1.0 to DTLS 1.2.

      Notable Changes in NSS 3.19
      =======================
      - The SSL 3 protocol has been disabled by default.
      - NSS now more strictly validates TLS extensions and will fail a handshake that contains malformed extensions (bug 753136).
      - In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm in order to be compatible with TLS servers that use certificates with a SHA512 signature (bug 1155922).

      Notable Changes in NSS 3.20
      =======================
      - The TLS library has been extended to support DHE ciphersuites in server applications.

      Notable Changes in NSS 3.21
      =======================
      - NSS now builds with elliptic curve ciphers enabled by default (bug 1205688)

      Notable Changes in NSS 3.22
      =======================
      - NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.

      Notable Changes in NSS 3.23
      =======================
      - The copy of SQLite shipped with NSS has been updated to version 3.10.2 (bug 1234698)
      - The list of TLS extensions sent in the TLS handshake has been reordered to increase compatibility of the Extended Master Secret with servers (bug 1243641)
      - The build time environment variable NSS_ENABLE_ZLIB has been renamed to NSS_SSL_ENABLE_ZLIB (Bug 1243872).
      - The build time environment variable NSS_DISABLE_CHACHAPOLY was added, which can be used to prevent compilation of the ChaCha20/Poly1305 code.

      Notable Changes in NSS 3.24
      =======================
      - Deprecate the following functions. (Applications should instead use the new SSL_ConfigServerCert function.)
          SSL_SetStapledOCSPResponses
          SSL_SetSignedCertTimestamps
          SSL_ConfigSecureServer
          SSL_ConfigSecureServerWithCertChain
      - Deprecate the NSS_FindCertKEAType function, as it reports a misleading value for certificates that might be used for signing rather than key exchange.
      - Update SSLAuthType to define a larger number of authentication key types.
      - Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo. Instead, applications should use the newly added attribute authType.
      - Rename ssl_auth_rsa to ssl_auth_rsa_decrypt.
      - Add a shared library (libfreeblpriv3) on Linux platforms that define FREEBL_LOWHASH.
      - Remove most code related to SSL v2, including the ability to actively send a SSLv2-compatible client hello. However, the server-side implementation of the SSL/TLS protocol still supports - processing of received v2-compatible client hello messages.
      - Disable (by default) NSS support in optimized builds for logging SSL/TLS key material to a logfile if the SSLKEYLOGFILE environment variable is set. To enable the functionality in optimized builds, you must define the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
      - Update NSS to protect it against the Cachebleed attack.
      - Disable support for DTLS compression.
      - Improve support for TLS 1.3. This includes support for DTLS 1.3. Note that TLS 1.3 support is experimental and not suitable for production use.

      Notable Changes in NSS 3.25
      =======================
      - An SSL socket can no longer be configured to allow both TLS 1.3 and SSL v3

      Notable Changes in NSS 3.26
      =======================
      - NPN is disabled and ALPN is enabled by default

      Notable Changes in NSS 3.27
      =======================
      - UPDATE 2016-10-02:
          The maximum TLS version supported has been increased to TLS 1.3 (draft).
          Although the maximum TLS version enabled by default is still TLS 1.2, there are applications that query the list of TLS protocol versions supported by NSS, and enable all supported versions. For those applications, updating to NSS 3.27 may result in TLS 1.3 (draft) to be enabled.
          The TLS 1.3 (draft) protocol can be disabled, by defining symbol NSS_DISABLE_TLS_1_3 when building NSS.
      - NPN can not be enabled anymore.
      - Hard limits on the maximum number of TLS records encrypted with the same key are enforced.
      - Disabled renegotiation in DTLS.

        Issue Links

          Activity

          Show
          jjiang John Jiang added a comment - - edited NSS 3.27.1 + NSPR 4.13 source: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_27_1_RTM/src/nss-3.27.1-with-nspr-4.13.tar.gz
          Hide
          jjiang John Jiang added a comment - - edited
          sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed on Windows-x64 with NSS 3.27.1 libraries,
          --------------------------------------------------------------
          libsoftokn3 version = 3.271. ECC Basic.
          Beginning test run SecretKeysBasic...
          Running test with provider SunPKCS11-nss (security manager disabled) ...
          softkey> javax.crypto.spec.SecretKeySpec@175ef
          ALGO=AES
          [RAW] VALUE=b14d54bc648d4f55fb640c2215f870d5
          skey1> SunPKCS11-nss DESede secret key, 168 bits (id 1, session object, not sensitive, extractable)
          ALGO=DESede
          [RAW] VALUE=974a081c312ad319f15726bfe38fd0980b257c6726c19d5e
          skey2> SunPKCS11-nss DESede secret key, 168 bits (id 2, session object, not sensitive, extractable)
          ALGO=DESede
          [RAW] VALUE=f2109b5262c4a8c134a73819f107e338d0705b64c7d6a8c1
          Test against nss Failed!
          STDERR:
          Exception in thread "main" java.lang.StringIndexOutOfBoundsException: begin 825, end -1, length 1000
          at java.base/java.lang.String.checkBoundsBeginEnd(String.java:3123)
          at java.base/java.lang.String.substring(String.java:1911)
          at PKCS11Test.getNSSInfo(PKCS11Test.java:446)
          at PKCS11Test.getLibnss3Version(PKCS11Test.java:381)
          at SecretKeysBasic.doTest(SecretKeysBasic.java:146)
          at SecretKeysBasic.main(SecretKeysBasic.java:83)
          at PKCS11Test.premain(PKCS11Test.java:166)
          at PKCS11Test.testNSS(PKCS11Test.java:522)
          at PKCS11Test.main(PKCS11Test.java:202)
          at PKCS11Test.main(PKCS11Test.java:178)
          at SecretKeysBasic.main(SecretKeysBasic.java:46)
          --------------------------------------------------------------
          The test failed to parse version from nss3.dll.

          The content pattern of nss3.dll in NSS 3.27.1 on Windows-x64 platform has been updated.
          It should modify the version abstraction for method PKCS11Test.getNSSInfo(String library).
          Or, it doesn't parse the version from nss3.dll, but just checks if nss3.dll contains the same version string as that softokn3.dll contains.
          Show
          jjiang John Jiang added a comment - - edited sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed on Windows-x64 with NSS 3.27.1 libraries, -------------------------------------------------------------- libsoftokn3 version = 3.271. ECC Basic. Beginning test run SecretKeysBasic... Running test with provider SunPKCS11-nss (security manager disabled) ... softkey> javax.crypto.spec.SecretKeySpec@175ef ALGO=AES [RAW] VALUE=b14d54bc648d4f55fb640c2215f870d5 skey1> SunPKCS11-nss DESede secret key, 168 bits (id 1, session object, not sensitive, extractable) ALGO=DESede [RAW] VALUE=974a081c312ad319f15726bfe38fd0980b257c6726c19d5e skey2> SunPKCS11-nss DESede secret key, 168 bits (id 2, session object, not sensitive, extractable) ALGO=DESede [RAW] VALUE=f2109b5262c4a8c134a73819f107e338d0705b64c7d6a8c1 Test against nss Failed! STDERR: Exception in thread "main" java.lang.StringIndexOutOfBoundsException: begin 825, end -1, length 1000 at java.base/java.lang.String.checkBoundsBeginEnd(String.java:3123) at java.base/java.lang.String.substring(String.java:1911) at PKCS11Test.getNSSInfo(PKCS11Test.java:446) at PKCS11Test.getLibnss3Version(PKCS11Test.java:381) at SecretKeysBasic.doTest(SecretKeysBasic.java:146) at SecretKeysBasic.main(SecretKeysBasic.java:83) at PKCS11Test.premain(PKCS11Test.java:166) at PKCS11Test.testNSS(PKCS11Test.java:522) at PKCS11Test.main(PKCS11Test.java:202) at PKCS11Test.main(PKCS11Test.java:178) at SecretKeysBasic.main(SecretKeysBasic.java:46) -------------------------------------------------------------- The test failed to parse version from nss3.dll. The content pattern of nss3.dll in NSS 3.27.1 on Windows-x64 platform has been updated. It should modify the version abstraction for method PKCS11Test.getNSSInfo(String library). Or, it doesn't parse the version from nss3.dll, but just checks if nss3.dll contains the same version string as that softokn3.dll contains.

            People

            • Assignee:
              jjiang John Jiang
              Reporter:
              rhalade Rajan Halade
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: