NSS configuration & plugin interaction
Andrew John Hughes
ahughes at redhat.com
Thu Apr 8 11:24:00 PDT 2010
On 8 April 2010 17:54, Matthias Klose <doko at ubuntu.com> wrote:
> On 07.04.2010 16:32, Andrew John Hughes wrote:
>>
>> On 7 April 2010 01:44, Matthias Klose<doko at ubuntu.com> wrote:
>>>
>>> this is about 461 and 469; when icedtea is configured with --enable-nss,
>>> just an additional security provider is added in java.security, the code
>>> currently in icedtea isn't changed, so the behaviour should be
>>> reproducible
>>> on systems which have the required nss available.
>>>
>>> visiting the page mentioned in 461 with the
>>> security.provider.9=sun.security.pkcs11.SunPKCS11
>>> ${java.home}/lib/security/nss.cfg enabled in java.policy, I get the stack
>>> trace in [1] after closing the page, the java process
>>> icedteanp-appletviewer-to-plugin sleeps (ignoring the Unimplemented
>>> messages
>>> at the end).
>>>
>>
>> This isn't the same failure as 469.
>
> I didn't say this.
>
Then how is 469 related? True they both concern NSS but they are
different failures which may have different causes. The NSS issue
reported in relation to the plugin is some kind of loading error,
whereas the other occurs during certificate creation.
>> Also, the output looks like two
>> separate threads throwing exceptions.
>>
>>> with security.provider.9 commented out, I see the stacktrace in [2].
>>> closing
>>> the page with the applet lets the icedteanp-appletviewer-to-plugin
>>> process
>>> sleep.
>>
>> Looks like the same as the first one, but the other thread no longer
>> crashes due to the NSS issue.
>> I suspect there are two bugs here. What makes you think the plugin
>> crash is related to NSS?
>
> the ssl test failures in the jtreg testsuite are related to enabling NSS.
>
They are, but completely different failures and not relevant to this
plugin issue.
The NSS error here is:
>>> Caused by: java.io.IOException: An incompatible version of NSS is already
>>> loaded, 3.7 or later required
>>> at sun.security.pkcs11.Secmod.isInitialized(Secmod.java:130)
>>> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:168)
>>> ... 37 more
which suggests some form of loading issue in the plugin.
>> The stack trace shows a parsing error:
>>
>> java.lang.ArrayIndexOutOfBoundsException: 5
>> at
>> sun.applet.PluginProxyInfoRequest.parseReturn(PluginProxyInfoRequest.java:65)
>>
>>>
>>> with security.provider.9 commented out and the nss.cfg file missing (that
>>> is
>>> the default when configuring without NSS, and running on a system having
>>> NSS) you see the stacktrace as in [2], but the
>>> icedteanp-appletviewer-to-plugin process now uses 100% cpu and doesn't
>>> terminate even after closing the page with the applet.
>>>
>>> As a minimum patch, we should always install the nss.cfg file, or revert
>>> the
>>> (upstream?) NSS patch when not configuring with --enable-nss.
>>
>> We can always install nss.cfg. It really makes no difference if the
>> provider line is not added.
>
> I'm applying a patch to the trunk, setting the libdir in nss.cfg to the
> system libdir when configuring without --enable-nss. It should do the right
> thing, but plesae check on Fedora that it gets the lib/lib64 right.
>
This is the wrong thing to do. I'd suggest the following instead:
* Always check for NSS but only fail if it's not found and ENABLE_NSS is set:
if test "x${ENABLE_NSS}" = "xyes"
then
PKG_CHECK_MODULES(NSS, nss, [NSS_FOUND=yes], [NSS_FOUND=no])
if test "x${NSS_FOUND}" = xno
then
AC_MSG_ERROR([Could not find NSS. Either install it or configure
using --disable-nss.])
fi
NSS_LIBDIR=`$PKG_CONFIG --variable=libdir nss`
AC_SUBST(NSS_LIBDIR)
AC_CONFIG_FILES([nss.cfg])
fi
becomes something like:
PKG_CHECK_MODULES(NSS, nss, [NSS_FOUND=yes], [NSS_FOUND=no])
if test "x${NSS_FOUND}" = xno
then
if test "x${ENABLE_NSS}" = "xyes"
then
AC_MSG_ERROR([Could not find NSS. Either install it or configure
using --disable-nss.])
else
AC_MSG_WARN([Could not find NSS; not installing nss.cfg])
fi
else
NSS_LIBDIR=`$PKG_CONFIG --variable=libdir nss`
AC_CONFIG_FILES([nss.cfg])
fi
AC_SUBST(NSS_LIBDIR)
You can check if nss.cfg was generated using an -e test in
Makefile.am's icedtea and icedtea-debug targets instead of the current
ENABLE_NSS block.
>
>>
>>>
>>> Would like to hear if this behaviour can be reproduced.
>>>
>>
>> Is there a URL I can give to appletviewer?
>
> it's in the bug report:
> http://www.slu.edu/classes/maymk/GeoGebra/SecantToTangent.html
>
>>
>>> Matthias
>>>
>>>
>>> [1]
>>> $ firefox 2>&1 | tee firefox.log2
>>> Looking for 0xb0cf570c 0xab6effb0 0xb5bdcbcc (document)
>>> java version "1.6.0_18"
>>> OpenJDK Runtime Environment (IcedTea6 1.8) (6b18~pre4-1ubuntu3)
>>> OpenJDK Server VM (build 16.0-b13, mixed mode)
>>> java.security.ProviderException: Could not initialize NSS
>>> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
>>> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>> Method)
>>> at
>>>
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
>>> at
>>>
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
>>> at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
>>> at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at
>>> sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
>>> at
>>> sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
>>> at
>>> sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
>>> at sun.security.jca.ProviderList.getService(ProviderList.java:330)
>>> at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
>>> at java.security.Security.getImpl(Security.java:696)
>>> at
>>>
>>> java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
>>> at
>>> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
>>> at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
>>> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
>>> at sun.security.x509.X509Key.parse(X509Key.java:168)
>>> at
>>> sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
>>> at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
>>> at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
>>> at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
>>> at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
>>> at
>>>
>>> sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
>>> at
>>>
>>> java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
>>> at
>>> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
>>> at
>>> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
>>> at java.security.KeyStore.load(KeyStore.java:1201)
>>> at
>>>
>>> sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:221)
>>> at
>>>
>>> sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:51)
>>> at
>>> javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:247)
>>> at
>>>
>>> net.sourceforge.jnlp.security.VariableX509TrustManager.<init>(VariableX509TrustManager.java:100)
>>> at
>>>
>>> net.sourceforge.jnlp.security.VariableX509TrustManager.getInstance(VariableX509TrustManager.java:282)
>>> at sun.applet.PluginMain.init(PluginMain.java:217)
>>> at sun.applet.PluginMain.<init>(PluginMain.java:147)
>>> at sun.applet.PluginMain.main(PluginMain.java:116)
>>> Caused by: java.io.IOException: An incompatible version of NSS is already
>>> loaded, 3.7 or later required
>>> at sun.security.pkcs11.Secmod.isInitialized(Secmod.java:130)
>>> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:168)
>>> ... 37 more
>>> java.lang.InterruptedException: sleep interrupted
>>> at java.lang.Thread.sleep(Native Method)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:629)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> java.lang.InterruptedException: sleep interrupted
>>> at java.lang.Thread.sleep(Native Method)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:674)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:649)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> java.lang.InterruptedException: sleep interrupted
>>> at java.lang.Thread.sleep(Native Method)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:747)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:649)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> java.lang.ArrayIndexOutOfBoundsException: 5
>>> at
>>>
>>> sun.applet.PluginProxyInfoRequest.parseReturn(PluginProxyInfoRequest.java:65)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.finishCallRequest(PluginStreamHandler.java:338)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handlePluginMessage(PluginStreamHandler.java:287)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:208)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> Download error:
>>>
>>> /home/doko/.icedteaplugin/cache/http/www.slu.edu/classes/maymk/GeoGebra/geogebra_main.jar
>>> (No such file or directory)
>>> Download error: jarFile not found: 1
>>> java.lang.ArrayIndexOutOfBoundsException: 5
>>> at
>>>
>>> sun.applet.PluginProxyInfoRequest.parseReturn(PluginProxyInfoRequest.java:65)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.finishCallRequest(PluginStreamHandler.java:338)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handlePluginMessage(PluginStreamHandler.java:287)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:208)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> Exception in thread "Thread-12" java.lang.NoClassDefFoundError:
>>> geogebra/e/m
>>> at geogebra.GeoGebraApplet.a(Unknown Source)
>>> at geogebra.GeoGebraApplet.a(Unknown Source)
>>> at geogebra.GeoGebraApplet.a(Unknown Source)
>>> at geogebra.f.run(Unknown Source)
>>> ** Unimplemented: IcedTeaScriptableJavaObject::invalidate 0xa7779fe0
>>> ** Unimplemented: IcedTeaScriptableJavaObject::deAllocate 0xa7779fe0
>>>
>>>
>>> [2]
>>> $ firefox 2>&1 | tee firefox.log3
>>> Looking for 0xa73b348c 0xa6fd09e0 0xb5adcbcc (document)
>>> java version "1.6.0_18"
>>> OpenJDK Runtime Environment (IcedTea6 1.8) (6b18~pre4-1ubuntu3)
>>> OpenJDK Server VM (build 16.0-b13, mixed mode)
>>> java.lang.InterruptedException: sleep interrupted
>>> at java.lang.Thread.sleep(Native Method)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:735)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:649)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> java.lang.InterruptedException: sleep interrupted
>>> at java.lang.Thread.sleep(Native Method)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:674)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:649)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> java.lang.InterruptedException: sleep interrupted
>>> at java.lang.Thread.sleep(Native Method)
>>> at
>>> sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:629)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> java.lang.ArrayIndexOutOfBoundsException: 5
>>> at
>>>
>>> sun.applet.PluginProxyInfoRequest.parseReturn(PluginProxyInfoRequest.java:65)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.finishCallRequest(PluginStreamHandler.java:338)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handlePluginMessage(PluginStreamHandler.java:287)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:208)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> Download error:
>>>
>>> /home/doko/.icedteaplugin/cache/http/www.slu.edu/classes/maymk/GeoGebra/geogebra_main.jar
>>> (No such file or directory)
>>> Download error: jarFile not found: 1
>>> java.lang.ArrayIndexOutOfBoundsException: 5
>>> at
>>>
>>> sun.applet.PluginProxyInfoRequest.parseReturn(PluginProxyInfoRequest.java:65)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.finishCallRequest(PluginStreamHandler.java:338)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handlePluginMessage(PluginStreamHandler.java:287)
>>> at
>>>
>>> sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:208)
>>> at
>>>
>>> sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82)
>>> Exception in thread "Thread-12" java.lang.NoClassDefFoundError:
>>> geogebra/e/m
>>> at geogebra.GeoGebraApplet.a(Unknown Source)
>>> at geogebra.GeoGebraApplet.a(Unknown Source)
>>> at geogebra.GeoGebraApplet.a(Unknown Source)
>>> at geogebra.f.run(Unknown Source)
>>>
>>>
>>
>>
>>
>
>
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev
mailing list