[patch] PR461: don't use the NSS provider bundled with the browser
Andrew John Hughes
ahughes at redhat.com
Mon Apr 12 05:42:32 PDT 2010
On 12 April 2010 13:29, Matthias Klose <doko at ubuntu.com> wrote:
> On 12.04.2010 14:09, Andrew John Hughes wrote:
>>
>> On 12 April 2010 02:34, Matthias Klose<doko at ubuntu.com> wrote:
>>>
>>> Seen this at least with firefox, would be nice if somebody could check
>>> that
>>> for chromium as well.
>>>
>>> The firefox start script in MOZILLA_FIVE_HOME sets LD_LIBRARY_PATH to
>>> include MOZILLA_FIVE_HOME and a number of subdirectories of
>>> MOZILLA_FIVE_HOME. The current NSS provider code seems to honor
>>> LD_LIBRARY_PATH, and loads the libnss3.so provided by the browser.
>>>
>>> Caused by: java.io.IOException: An incompatible version of NSS is already
>>> loaded, 3.7 or later required
>>> at sun.security.pkcs11.Secmod.isInitialized(Secmod.java:130)
>>> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:168)
>>>
>>> (wondering why the nss version shipped with firefox 3.6.3 identifies
>>> itself
>>> as 3.7).
>>>
>>
>> Wondering why Firefox includes NSS to begin with instead of using the
>> system version...
>>
>>> However the openjdk build is configured for the nss version configured at
>>> build time, and you can run it with more than one browser.
>>>
>>> My current solution/workaround is to pass a modified LD_LIBRARY_PATH to
>>> the
>>> subprocess such that the libnss3.so which was configured at build time is
>>> always used.
>>>
>>> Something like this, or another fix should go to the 1.8 branch as well.
>>>
>>
>> Looking at the code, the 3.7 doesn't come from Firefox but the provider:
>>
>> public synchronized boolean isInitialized() throws IOException {
>> // NSS does not allow us to check if it is initialized already
>> // assume that if it is loaded it is also initialized
>> if (isLoaded() == false) {
>> return false;
>> }
>> if (supported == false) {
>> throw new IOException
>> ("An incompatible version of NSS is already loaded, "
>> + "3.7 or later required");
>> }
>> return true;
>> }
>>
>> private boolean isLoaded() {
>> if (nssHandle == 0) {
>> nssHandle =
>> nssGetLibraryHandle(System.mapLibraryName(NSS_LIB_NAME));
>> if (nssHandle != 0) {
>> fetchVersions();
>> }
>> }
>> return (nssHandle != 0);
>> }
>>
>> private void fetchVersions() {
>> supported = nssVersionCheck(nssHandle, "3.7");
>> }
>>
>> I don't know what Ubuntu uses, but Gentoo is on 3.12.6 of NSS:
>>
>> $ pkg-config --modversion nss
>> 3.12.6
>>
>> But it's clearly passing the test earlier, as the initialize method
>> includes the same test:
>
> there's another bug here in that the current firefox package on Ubuntu
> includes it's own nss:
>
> $ ls -l /usr/lib/firefox-3.6.3/libnss3.so
> -rw-r--r-- 1 root root 875916 2010-04-09 18:26
> /usr/lib/firefox-3.6.3/libnss3.so
>
> but this is something you'll get if you download the firefox binaries from
> mozilla.org as well:
>
> $ tar tf firefox-3.6.3.tar.bz2 | grep libnss3
> firefox/libnss3.so
>
>> Library loading prefers the setting in nss.cfg:
>>
>> String platformLibName = System.mapLibraryName("nss3");
>
> here, it's already too late. the nss3 found in LD_LIBRARY_PATH is used.
>
Does mapLibraryName load nss3 as a side-effect? If so, we could move
it into the if clause.
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev
mailing list