1.. _mozilla_projects_nss_overview:
2
3Overview of NSS
4===============
5
6.. container::
7
8   .. rubric:: Open Source Crypto Libraries
9      :name: Open_Source_Crypto_Libraries
10
11.. _proven_application_security_architecture:
12
13`Proven Application Security Architecture <#proven_application_security_architecture>`__
14~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15
16.. container::
17
18   If you want to add support for SSL, S/MIME, or other Internet security standards to your
19   application, you can use Network Security Services (NSS) to implement all your security features.
20   NSS provides a complete open-source implementation of the crypto libraries used by AOL, Red Hat,
21   Google, and other companies in a variety of products, including the following:
22
23   -  `Mozilla products <https://www.mozilla.org/products/>`__, including
24      `Firefox <https://www.mozilla.com/firefox/>`__,
25      `Thunderbird <https://www.mozilla.com/thunderbird/>`__,
26      `SeaMonkey <https://seamonkey-project.org/>`__, and `Firefox
27      OS <https://support.mozilla.org/en-US/products/firefox-os>`__.
28   -  AOL Instant Messenger (AIM)
29   -  Open source client applications such as `Evolution <https://wiki.gnome.org/Apps/Evolution>`__,
30      `Pidgin <https://pidgin.im/>`__, `Apache OpenOffice <https://www.openoffice.org/>`__, and
31      `LibreOffice <https://www.libreoffice.org>`__.
32   -  Server products from `Red Hat <https://www.redhat.com/en/technologies>`__: `Red Hat Directory
33      Server <https://www.redhat.com/en/technologies/cloud-computing/directory-server>`__, `Red Hat
34      Certificate
35      System <https://www.redhat.com/en/technologies/cloud-computing/certificate-system>`__, and the
36      `mod_nss <https://directory.fedoraproject.org/docs/389ds/administration/mod-nss.html>`__ SSL
37      module for the Apache web server.
38   -  Server products from Oracle (formerly Sun Java Enterprise System), including `Oracle
39      Communications Messaging
40      Server <https://www.oracle.com/industries/communications/enterprise/products/messaging-server/index.html>`__
41      and `Oracle Directory Server Enterprise
42      Edition <http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-085178.html>`__.
43   -  `SUSE Linux Enterprise Server <https://www.suse.com/products/server/>`__ supports NSS and the
44      `mod_nss <https://documentation.suse.com/sles/11-SP4/html/SLES-all/cha-apache2.html#sec-apache2-nss>`__
45      SSL module for the Apache web server.
46
47   NSS includes a framework to which developers and OEMs can contribute patches, such as assembler
48   code, to optimize performance on their platforms. NSS 3.x has been certified on 18 platforms.
49
50   For more detailed information about NSS, see `wiki.mozilla.org <https://wiki.mozilla.org/NSS>`__
51   and `NSS FAQ <NSS_FAQ>`__.
52
53   Source code for a Java interface to NSS is available in the Mozilla CVS tree. For details, see
54   `Network Security Services for Java <JSS>`__.
55
56   NSS makes use of Netscape Portable Runtime
57   (`NSPR <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR>`__), a platform-neutral
58   open-source API for system functions designed to facilitate cross-platform development. Like NSS,
59   NSPR has been battle-tested in multiple products. For more information, see the `NSPR Project
60   Page <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR>`__.
61
62.. _interoperability_and_open_standards:
63
64`Interoperability and Open Standards <#interoperability_and_open_standards>`__
65~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
66
67.. container::
68
69   You can use NSS to support a range of security standards in your application, including the
70   following:
71
72   -  `SSL v3 </en-US/Glossary#SSL>`__. The Secure Sockets Layer (SSL) protocol allows mutual
73      authentication between a client and server and the establishment of an authenticated and
74      encrypted connection.
75   -  TLS v1.3 (`RFC 8446 <https://datatracker.ietf.org/doc/html/rfc8446>`__), `TLS v1.2 (RFC
76      5246 <https://datatracker.ietf.org/doc/html/rfc5246>`__), `TLS v1.1 (RFC
77      4346 <https://datatracker.ietf.org/doc/html/rfc4346>`__), `TLS v1
78      ( <https://www.ietf.org/rfc/rfc2246.txt>`__\ `RFC
79      2246 <https://datatracker.ietf.org/doc/html/rfc2246>`__). The Transport Layer Security (TLS)
80      protocol from the IETF that supersedes SSL.
81   -  `PKCS #1 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/index.html>`__. RSA standard that
82      governs implementation of public-key cryptography based on the RSA algorithm.
83   -  `PKCS #3 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-3/index.html>`__. RSA standard that
84      governs implementation of Diffie-Hellman key agreement.
85   -  `PKCS #5 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html>`__. RSA standard that
86      governs password-based cryptography, for example to encrypt private keys for storage.
87   -  `PKCS #7 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/index.html>`__. RSA standard that
88      governs the application of cryptography to data, for example digital signatures and digital
89      envelopes.
90   -  `PKCS #8 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-8/index.html>`__. RSA standard that
91      governs the storage and encryption of private keys.
92   -  `PKCS #9 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-9/index.html>`__. RSA standard that
93      governs selected attribute types, including those used with PKCS #7, PKCS #8, and PKCS #10.
94   -  `PKCS #10 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-10/index.html>`__. RSA standard that
95      governs the syntax for certificate requests.
96   -  `PKCS #11 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html>`__. RSA standard that
97      governs communication with cryptographic tokens (such as hardware accelerators and smart
98      cards) and permits application independence from specific algorithms and implementations.
99   -  `PKCS #12 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html>`__. RSA standard that
100      governs the format used to store or transport private keys, certificates, and other secret
101      material.
102   -  `S/MIME (RFC 2311 and RFC 2633) </en-US/Glossary#S.2FMIME>`__. IETF message specification
103      (based on the popular Internet MIME standard) that provides a consistent way to send and
104      receive signed and encrypted MIME data.
105   -  `X.509 v3 <https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates>`__.
106      ITU standard that governs the format of certificates used for authentication in public-key
107      cryptography.
108   -  `OCSP (RFC 2560) </en-US/Glossary#OCSP>`__. The Online Certificate Status Protocol (OCSP)
109      governs real-time confirmation of certificate validity.
110   -  `PKIX Certificate and CRL Profile ( <https://www.ietf.org/rfc/rfc3280.txt>`__\ `RFC
111      3280 <https://datatracker.ietf.org/doc/html/rfc3280>`__). The first part of the four-part
112      standard under development by the Public-Key Infrastructure (X.509) working group of the IETF
113      (known at PKIX) for a public-key infrastructure for the Internet.
114   -  RSA, DSA, ECDSA, Diffie-Hellman, EC Diffie-Hellman,
115      `AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>`__, Triple DES, DES, RC2,
116      RC4, SHA-1, SHA-256, SHA-384, SHA-512, MD2, MD5, HMAC: Common cryptographic algorithms used in
117      public-key and symmetric-key cryptography.
118   -  FIPS 186-2 pseudorandom number generator.
119
120   For complete details, see `Encryption
121   Technologies <https://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html>`__.
122
123.. _fips_140_validation_and_niscc_testing:
124
125`FIPS 140 Validation and NISCC Testing <#fips_140_validation_and_niscc_testing>`__
126~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
127
128.. container::
129
130   The NSS software crypto module has been validated three times for conformance to FIPS 140 at
131   Security Levels 1 and 2. For more information, see the `NSS FIPS <FIPS_Mode_-_an_explanation>`__
132   page (`Or this one <https://wiki.mozilla.org/FIPS_Validation>`__).
133
134   The NSS libraries passed the NISCC
135   `TLS/SSL <https://www.niscc.gov.uk/niscc/docs/re-20030930-00749.pdf?lang=en>`__ and
136   `S/MIME <https://www.uniras.gov.uk/niscc/docs/re-20031104-00752.pdf?lang=en>`__ test suites (1.6
137   million test cases of invalid input data).
138
139.. _complete_software_development_kit:
140
141`Complete Software Development Kit <#complete_software_development_kit>`__
142~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
143
144.. container::
145
146   In addition to libraries and APIs, NSS provides :ref:`mozilla_projects_nss_tools` required for
147   debugging, diagnostics, certificate and key management, cryptography module management, and other
148   development tasks.
149
150   NSS comes with an extensive and growing set of :ref:`mozilla_projects_nss#documentation`,
151   including introductory material, API references, man pages for command-line tools, and
152   :ref:`mozilla_projects_nss_nss_sample_code`.
153
154   NSS is available as source and shared (dynamic) libraries. Every NSS release is backward
155   compatible with previous releases, allowing NSS users to upgrade to the new NSS shared libraries
156   without recompiling or relinking their applications.
157
158.. _open-source_licensing_and_distribution:
159
160`Open-Source Licensing and Distribution <#open-source_licensing_and_distribution>`__
161~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
162
163.. container::
164
165   NSS is available under the `Mozilla Public License <https://www.mozilla.org/MPL/>`__, version 2.
166   The latest source code is available for free worldwide from https://www.mozilla.org and its
167   mirror sites.