Closed Bug 1564499 Opened 3 years ago Closed 3 years ago

Upgrade Firefox 70 to use NSS 3.46


(Core :: Security: PSM, task, P1)




Tracking Status
firefox70 --- fixed


(Reporter: jcj, Assigned: jcj)




(7 files)

Tracking NSS 3.46 for Firefox 70. Ultimate tag will be NSS_3_46_RTM.

Pushed by
land NSS 264f19e7ede7 UPGRADE_NSS_RELEASE, r=me
Pushed by
land NSS 8c6fad5544a6 UPGRADE_NSS_RELEASE, r=me
Pushed by
land NSS a31fc0eefc4c UPGRADE_NSS_RELEASE, r=me
Regressions: 1567698
Pushed by
land NSS 009a7163c80a UPGRADE_NSS_RELEASE, r=me
Backout by
Backed out changeset f742215abea8 for causing Bug 1570891. UPGRADE_NSS_RELEASE a=backout

Please ignore the commit message here, this was backed out for the failures in comment 9. It was my mistake here for providing Alexandru a wrong bug no.

Thanks, opened a regression bug (Bug 1570991) and investigating there. New uplift is being tested with what I suspect is the offending patch backed out.

Flags: needinfo?(jjones)
Regressions: 1570991
Pushed by
land NSS 777b6070fe76 UPGRADE_NSS_RELEASE, r=me
No longer regressions: 1567698
Pushed by
land NSS 89aa19677e37 UPGRADE_NSS_RELEASE, r=jcj

Revset: reverse(89aa19677e37~-1::bbfc55939d75)

2019-08-14 Kevin Jacobs <>

* gtests/ssl_gtest/
Bug 1572593 - Re-revert call to CheckCertReqAgainstDefaultCAs to
avoid memory leak (filed as bug 1573945). r=jcj

Revert back to the changes Franziskus had made. Updated the in-
source bug number to point to the new memleak bug.

Differential Revision:
[bbfc55939d75] [tip]

2019-08-12 Kevin Jacobs <>

* gtests/freebl_gtest/freebl_gtest.gyp,
Bug 1415118 - Fix --enable-libpkix builds from r=mt,jcj

Differential Revision:

2019-08-14 J.C. Jones <>

* gtests/ssl_gtest/, lib/ssl/ssl3ext.c:
Bug 1572593 - Reset advertised extensions in ssl_ConstructExtensions

Reset the list of advertised extensions before sending a new set.

This reverts the changes of

Differential Revision:

2019-08-14 Kevin Jacobs <>

* lib/freebl/ctr.c:
Bug 1539788 - UBSAN fixup for 128b counter. r=mt,jcj

Differential Revision:

2019-08-13 Kevin Jacobs <>

* lib/freebl/chacha20poly1305.c, lib/freebl/ctr.c, lib/freebl/gcm.c,
lib/freebl/intel-gcm-wrap.c, lib/freebl/rsapkcs.c:
Bug 1539788 - Add length checks for cryptographic primitives

This patch adds additional length checks around cryptographic

Differential Revision:

2019-08-13 Marcus Burghardt <>

* gtests/freebl_gtest/, lib/freebl/mpi/README,
lib/freebl/mpi/mpi.c, lib/freebl/mpi/mpi.h:
Bug 1542077 - Added extra controls and tests to mp_set_int and
mp_set_ulong. r=jcj,kjacobs

Differential Revision:

2019-08-13 J.C. Jones <>

* gtests/ssl_gtest/,
Bug 1572791 - Fixup clang-format r=bustage

* gtests/ssl_gtest/,
gtests/ssl_gtest/, lib/ssl/tls13subcerts.c:
Bug 1572791 - Check for nulls in SSLExp_DelegateCredential and its
tests r=kjacobs

This particularly catches test errors in tls_subcerts_unittest when
the profile is stale.

Differential Revision:

2019-08-13 Kevin Jacobs <>

* gtests/ssl_gtest/,
Bug 1572791 - Fix ASAN cert errors when SSL gtests run on empty
profile r=jcj

Differential Revision:

2019-08-09 Kevin Jacobs <>

* tests/common/
Bug 1560593 - to treat core dumps as test failures on
optimized builds. r=jcj

Differential Revision:
Pushed by
land NSS bbfc55939d75 UPGRADE_NSS_RELEASE, r=kjacobs
Pushed by
land NSS ea8bc9f43de3 UPGRADE_NSS_RELEASE, r=kjacobs

Revset: reverse(bbfc55939d75~-1::ea8bc9f43de3)

2019-08-19 Kai Engert <>

* automation/release/nspr-version.txt:
Bug 1562330 - require NSPR version 4.22 r=jcj
[ea8bc9f43de3] [tip]

2019-08-16 J.C. Jones <>

* cmd/selfserv/selfserv.c:
Bug 1574220 - Fixup clang-format r=bustage

2019-08-15 Marcus Burghardt <>

* cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c,
Bug 1574220 - Improve controls after errors in tstcln, selfserv and
vfyserv cmds. r=kjacobs

Differential Revision:

2019-08-16 Marcus Burghardt <>

* lib/sqlite/README, lib/sqlite/sqlite3.c, lib/sqlite/sqlite3.h:
Bug 1550636 - Upgrade SQLite in NSS to v3.29 (2019-07-10). r=jcj

3029000 #define SQLITE_SOURCE_ID "2019-07-10 17:32:03

Differential Revision:

2019-08-15 Marcus Burghardt <>

* lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/nssckbi.h:
Bug 1566569 - Remove Swisscom Root CA 2 root certificate. r=jcj

Differential Revision:

2019-08-20 Marcus Burghardt <>

* lib/ckfw/builtins/certdata.txt:
Bug 1574670 - Remove Expired root certificates - Class 2 Primary,
UTN-USERFirst-Client, Deutsche Telekom Root CA 2.

[eeb9a6715a93] [tip]

2019-08-12 Kevin Jacobs <>

* lib/softoken/pkcs11c.c:
Bug 1572164 - Don't unnecessarily free session in NSC_WrapKey r=jcj

Pushed by
land NSS eeb9a6715a93 UPGRADE_NSS_RELEASE, r=kjacobs

2019-08-23 Kevin Jacobs <>

* tests/common/
Bug 1560593 - Check that BUILD_OPT is defined before testing its
value. r=jcj

[44aa330de2aa] [NSS_3_46_BETA1]

* cmd/strsclnt/strsclnt.c:
Bug 1575968 - Add strsclnt option to enforce the use of either IPv4
or IPv6 r=jcj


2019-08-23 Marcus Burghardt <>

* gtests/softoken_gtest/
Bug 1573942 - Gtest for pkcs11.txt with different breaking line
formats. r=kjacobs


2019-08-21 Kevin Jacobs <>

* lib/util/utilmod.c:
Bug 1564284: Added check for CR + LF, r=marcusburghardt,kjacobs

Looks good and it was already tested locally with this gtest patch:


2019-08-22 Martin Thomson <>

* lib/ssl/ssl3con.c:
Bug 1528666 - Formatting, a=bustage

2019-08-20 Martin Thomson <>

* gtests/ssl_gtest/,
gtests/ssl_gtest/, lib/ssl/ssl3con.c:
Bug 1528666 - Correct resumption validation checks, r=jcj

We allowed cross-suite resumption before, but it didn't work. This
enables that for clients.

As a secondary minor tweak, clients will no longer validate the
availability of a cipher suite based on their configured version
range when attempting resumption. Instead, they will check whether
the suite works for the version in the session that they are
attempting to resume. In theory, this doesn't change anything
because the previous session should not have selected an
incompatible combination of version and cipher suite, but it's worth
being extra precise.


2019-08-22 Martin Thomson <>

* gtests/ssl_gtest/,
gtests/ssl_gtest/, lib/ssl/ssl3con.c:
Bug 1568803 - More tests for client certificate authentication,

These were previously disabled because of difficulties (at the time)
in writing these tests for TLS 1.3. The framework, and my
understanding of it, has since improved, so these tests can be
restored and expanded. This exposed a minor correctness issue that
is also corrected.

Pushed by
land NSS NSS_3_46_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs

2019-08-27 Kevin Jacobs <>

    * automation/taskcluster/graph/src/extend.js,
    automation/taskcluster/windows/, fuzz/fuzz.gyp,
    gtests/softoken_gtest/softoken_gtest.gyp, tests/,
    Bug 1485533 - Close gaps in taskcluster SSL testing. r=mt

    This patch increases SSL testing on taskcluster, specifically,
    running an additional 395 tests on each SSL cycle (more for FIPS
    targets), and adding a new 'stress' cycle.

    Notable changes:

    1) This patch removes SSL stress tests from the default
    `NSS_SSL_RUN` list in and If stress tests are needed,
    this variable must be set to include.

    2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all
    targets. FIPS targets also run "normal_fips", "fips_normal", and

    3) `--enable-libpkix` is now set for all taskcluster ""
    builds in order to support a number of OCSP tests that were
    previously not run.

    [24b0fc700203] [NSS_3_46_BETA2]

2019-08-23 Edouard Oger <>

    * lib/sqlite/Makefile, lib/sqlite/sqlite.gyp:
    Bug 1549847 - Ignore sqlite compilation warnings. r=mt


2019-08-23 J.C. Jones <>

    * .hgtags:
    Added tag NSS_3_46_BETA1 for changeset 44aa330de2aa
Pushed by
land NSS NSS_3_46_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs

2019-08-30 J.C. Jones <>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.46 final
[decbf7bd40fd] [NSS_3_46_RTM]

2019-08-27 J.C. Jones <>

* .hgtags:
Added tag NSS_3_46_BETA2 for changeset 24b0fc700203
Pushed by
land NSS NSS_3_46_RTM UPGRADE_NSS_RELEASE, r=kjacobs
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.