SSL3 & TLS Renegotiation Vulnerability

See CVE-2009-3555 and US-CERT VU#120541 for more information about this security vulnerability.

All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF.

If an application depends on renegotiation feature, it can be enabled by setting the environment variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental variable, the fix provided by these patches will have no effect and the application may become vulnerable to the issue.

This default setting can also be changed within the application by using the following existing API functions:

• • SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on)
  • SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on)


• There is now a new value for "option", which is:
  • SSL_ENABLE_RENEGOTIATION
  The corresponding new values for SSL_ENABLE_RENEGOTIATION are:
  • SSL_RENEGOTIATE_NEVER: Never renegotiate at all (default).
  • SSL_RENEGOTIATE_UNRESTRICTED: Renegotiate without restriction, whether or not the peer's client hello bears the renegotiation info extension (as we always did in the past). UNSAFE.

TLS compression

• Enable TLS compression with:
  • SSL_ENABLE_DEFLATE: Enable TLS compression with DEFLATE. Off by default. (See ssl.h)
  Error codes:
  • SSL_ERROR_DECOMPRESSION_FAILURE (see sslerr.h)
  • SSL_ERROR_RENEGOTIATION_NOT_ALLOWED (see sslerr.h)

New context initialization and shutdown functions

• See nss.h for details. The 2 new functions are:
  • NSS_InitContext
  • NSS_ShutdownContext

  Parameters for these functions are used to initialize softoken. These are mostly strings used to internationalize softoken. Memory for the strings are owned by the caller, who is free to free them once NSS_ContextInit returns. If the string parameter is NULL (as opposed to empty, zero length), then the softoken default is used. These are equivalent to the parameters for PK11_ConfigurePKCS11().

  See the following struct in nss.h for details:
  • NSSInitParametersStr

Other new functions

• In secmod.h:
  • SECMOD_GetSkipFirstFlag
  • SECMOD_GetDefaultModDBFlag
  In prlink.h
  • NSS_SecureMemcmp
  • PORT_LoadLibraryFromOrigin

Modified functions

• SGN_Update (see cryptohi.h)
  • The parameter "input" of this function is changed from unsigned char * to const unsigned char *.
• PK11_ConfigurePKCS11 (see nss.h)
  • The name of some parameters have been slightly changed ("des" became "desc").

Deprecated headers

• The header file key.h is deprecated. Please use keyhi.h instead.

Additional documentation

• In pk11pub.h:
  • The caller of PK11_DEREncodePublicKey should free the returned SECItem with a SECITEM_FreeItem(..., PR_TRUE) call.
  • PK11_ReadRawAttribute allocates the buffer for returning the attribute value. The caller of PK11_ReadRawAttribute should free the data buffer pointed to by item using a SECITEM_FreeItem(item, PR_FALSE) or PORT_Free(item->data) call.
  In secasn1.h:
  • If both pool and dest are NULL, the caller should free the returned SECItem with a SECITEM_FreeItem(..., PR_TRUE) call. If pool is NULL but dest is not NULL, the caller should free the data buffer pointed to by dest with a SECITEM_FreeItem(dest, PR_FALSE) or PORT_Free(dest->data) call.

Environment variables

• NSS_FIPS
  • Will start NSS in FIPS mode.
• NSS_SSL_ENABLE_RENEGOTIATION
• NSS_SSL_REQUIRE_SAFE_NEGOTIATION
  • See SSL3 & TLS Renegotiation Vulnerability.