[patch] PR461: don't use the NSS provider bundled with the browser
Andrew John Hughes
ahughes at redhat.com
Mon Apr 12 05:09:49 PDT 2010
On 12 April 2010 02:34, Matthias Klose <doko at ubuntu.com> wrote:
> Seen this at least with firefox, would be nice if somebody could check that
> for chromium as well.
>
> The firefox start script in MOZILLA_FIVE_HOME sets LD_LIBRARY_PATH to
> include MOZILLA_FIVE_HOME and a number of subdirectories of
> MOZILLA_FIVE_HOME. The current NSS provider code seems to honor
> LD_LIBRARY_PATH, and loads the libnss3.so provided by the browser.
>
> Caused by: java.io.IOException: An incompatible version of NSS is already
> loaded, 3.7 or later required
> at sun.security.pkcs11.Secmod.isInitialized(Secmod.java:130)
> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:168)
>
> (wondering why the nss version shipped with firefox 3.6.3 identifies itself
> as 3.7).
>
Wondering why Firefox includes NSS to begin with instead of using the
system version...
> However the openjdk build is configured for the nss version configured at
> build time, and you can run it with more than one browser.
>
> My current solution/workaround is to pass a modified LD_LIBRARY_PATH to the
> subprocess such that the libnss3.so which was configured at build time is
> always used.
>
> Something like this, or another fix should go to the 1.8 branch as well.
>
Looking at the code, the 3.7 doesn't come from Firefox but the provider:
public synchronized boolean isInitialized() throws IOException {
// NSS does not allow us to check if it is initialized already
// assume that if it is loaded it is also initialized
if (isLoaded() == false) {
return false;
}
if (supported == false) {
throw new IOException
("An incompatible version of NSS is already loaded, "
+ "3.7 or later required");
}
return true;
}
private boolean isLoaded() {
if (nssHandle == 0) {
nssHandle =
nssGetLibraryHandle(System.mapLibraryName(NSS_LIB_NAME));
if (nssHandle != 0) {
fetchVersions();
}
}
return (nssHandle != 0);
}
private void fetchVersions() {
supported = nssVersionCheck(nssHandle, "3.7");
}
I don't know what Ubuntu uses, but Gentoo is on 3.12.6 of NSS:
$ pkg-config --modversion nss
3.12.6
But it's clearly passing the test earlier, as the initialize method
includes the same test:
Library loading prefers the setting in nss.cfg:
String platformLibName = System.mapLibraryName("nss3");
String platformPath;
if (nssLibDir == null) {
platformPath = platformLibName;
} else {
File base = new File(nssLibDir);
if (base.isDirectory() == false) {
throw new IOException("nssLibDir must be a directory:"
+ nssLibDir);
}
File platformFile = new File(base, platformLibName);
if (platformFile.isFile() == false) {
throw new FileNotFoundException(platformFile.getPath());
}
platformPath = platformFile.getPath();
}
if (DEBUG) System.out.println("lib: " + platformPath);
nssHandle = nssLoadLibrary(platformPath);
I suggest getting some debug output in that class. Setting DEBUG to
true would be a start.
> Matthias
>
>
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev
mailing list