[patch] PR461: don't use the NSS provider bundled with the browser

Mon Apr 12 05:29:00 PDT 2010

On 12.04.2010 14:09, Andrew John Hughes wrote:
> On 12 April 2010 02:34, Matthias Klose<doko at ubuntu.com>  wrote:
>> Seen this at least with firefox, would be nice if somebody could check that
>> for chromium as well.
>>
>> The firefox start script in MOZILLA_FIVE_HOME sets LD_LIBRARY_PATH to
>> include MOZILLA_FIVE_HOME and a number of subdirectories of
>> MOZILLA_FIVE_HOME. The current NSS provider code seems to honor
>> LD_LIBRARY_PATH, and loads the libnss3.so provided by the browser.
>>
>> Caused by: java.io.IOException: An incompatible version of NSS is already
>> loaded, 3.7 or later required
>>         at sun.security.pkcs11.Secmod.isInitialized(Secmod.java:130)
>>         at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:168)
>>
>> (wondering why the nss version shipped with firefox 3.6.3 identifies itself
>> as 3.7).
>>
>
> Wondering why Firefox includes NSS to begin with instead of using the
> system version...
>
>> However the openjdk build is configured for the nss version configured at
>> build time, and you can run it with more than one browser.
>>
>> My current solution/workaround is to pass a modified LD_LIBRARY_PATH to the
>> subprocess such that the libnss3.so which was configured at build time is
>> always used.
>>
>> Something like this, or another fix should go to the 1.8 branch as well.
>>
>
> Looking at the code, the 3.7 doesn't come from Firefox but the provider:
>
>      public synchronized boolean isInitialized() throws IOException {
>          // NSS does not allow us to check if it is initialized already
>          // assume that if it is loaded it is also initialized
> 	if (isLoaded() == false) {
>              return false;
>          }
>          if (supported == false) {
>              throw new IOException
>                  ("An incompatible version of NSS is already loaded, "
>                  + "3.7 or later required");
>          }
>          return true;
>      }
>
>      private boolean isLoaded() {
>          if (nssHandle == 0) {
>              nssHandle =
> nssGetLibraryHandle(System.mapLibraryName(NSS_LIB_NAME));
>              if (nssHandle != 0) {
> 		fetchVersions();
>              }
> 	}
>          return (nssHandle != 0);
>      }
>
>      private void fetchVersions() {
>          supported = nssVersionCheck(nssHandle, "3.7");
>      }
>
> I don't know what Ubuntu uses, but Gentoo is on 3.12.6 of NSS:
>
> $ pkg-config --modversion nss
> 3.12.6
>
> But it's clearly passing the test earlier, as the initialize method
> includes the same test:

there's another bug here in that the current firefox package on Ubuntu includes 
it's own nss:

$ ls -l /usr/lib/firefox-3.6.3/libnss3.so
-rw-r--r-- 1 root root 875916 2010-04-09 18:26 /usr/lib/firefox-3.6.3/libnss3.so

but this is something you'll get if you download the firefox binaries from 
mozilla.org as well:

$ tar tf firefox-3.6.3.tar.bz2 | grep libnss3
firefox/libnss3.so

> Library loading prefers the setting in nss.cfg:
>
>          String platformLibName = System.mapLibraryName("nss3");

here, it's already too late. the nss3 found in LD_LIBRARY_PATH is used.