- update to NSS 3.43
* required by Firefox 67.0
New functions
* HASH_GetHashOidTagByHashType - convert type HASH_HashType to type SECOidTag
* SSL_SendCertificateRequest - allow server to request post-handshake
client authentication. To use this both peers need to enable the
SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism
is present, post-handshake authentication is currently not TLS 1.3
compliant due to bug 1532312
Notable changes
* The following CA certificates were Added:
- emSign Root CA - G1
- emSign ECC Root CA - G3
- emSign Root CA - C1
- emSign ECC Root CA - C3
- Hongkong Post Root CA 3
Bugs fixed
* Improve Gyp build system handling (bmo#1528669, bmo#1529308)
* Improve NSS S/MIME tests for Thunderbird (bmo#1529950, bmo#1521174)
* If Docker isn't installed, try running a local clang-format as a
fallback (bmo#1530134)
* Enable FIPS mode automatically if the system FIPS mode flag is set
(bmo#1531267)
* Add a -J option to the strsclnt command to specify sigschemes
(bmo#1528262)
* Add manual for nss-policy-check (bmo#1513909)
* Fix a deref after a null check in SECKEY_SetPublicValue (bmo#1531074)
* Properly handle ESNI with HRR (bmo#1517714)
* Expose HKDF-Expand-Label with mechanism (bmo#1529813)
* Align TLS 1.3 HKDF trace levels (bmo#1535122)