Bug 1303143 - [FF45] module from firefox's nssdb gets deleted after browser restart
Summary: [FF45] module from firefox's nssdb gets deleted after browser restart
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firefox
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Stransky
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-29 16:35 UTC by David Jaša
Modified: 2016-05-12 10:36 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-12 10:36:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description David Jaša 2016-01-29 16:35:06 UTC 
Description of problem:
As a workaround to bug 1303138, I tried to add p11-kit-trust.so pkcs#11 module to firefox's nssdb. The module worked - till restart when it was not known by FF anymore

Version-Release number of selected component (if applicable):
firefox-45.0-0.3.el7_2.x86_64

How reproducible:
always

Steps to Reproduce:
0. 
wget -P /etc/pki/ca-trust/source/anchors \
    https://password.corp.redhat.com/cacert.crt \
    https://password.corp.redhat.com/RH-IT-Root-CA.crt
update-ca-trust
1. modutil -dbdir $HOME/.mozilla/firefox/<profile> -list
2. start firefox, add /usr/lib64/pkcs11/p11-kit-trust.so to "security devices" in Preferences - Advanced - certificates
3. go to https://errata.devel.redhat.com/
4. modutil -dbdir $HOME/.mozilla/firefox/<profile> -list
5. stop firefox
6. modutil -dbdir $HOME/.mozilla/firefox/<profile> -list
7. start firefox, go to https://errata.devel.redhat.com/ again
8. modutil -dbdir $HOME/.mozilla/firefox/<profile> -list

Actual results:
1. expected: just NSS Internal... module is present
3. page loads OK
4., 6.: you can see p11-kit-trust.so library as a 2nd module
7. page doesn't load with Error code: SEC_ERROR_UNKNOWN_ISSUER
8. p11-kit-trust.so is not among firefox's modules anymore

Expected results:
module will be available indefinitely after configuring

Additional info:
won't be reproducible with p11-kit-trust.so once bug 1303138 is fixed so replace that bug with e.g. coolkey smartcard module (from 'coolkey' package) and skip https:// validity steps
Comment 1 David Jaša 2016-01-29 16:36:39 UTC 
s/so replace that bug/so replace the p11-kit-trust.so/ of course
Comment 2 Martin Stransky 2016-02-01 12:08:32 UTC 
The available 45 builds uses Mozilla in-tree NSS which miss Red Hat special config. We need to retest when system nss is enabled.
Comment 3 David Jaša 2016-02-03 16:13:29 UTC 
(In reply to Martin Stransky from comment #2)
> The available 45 builds uses Mozilla in-tree NSS which miss Red Hat special
> config.

This is not a RH-specific config, this is bug in basic functionality. Smartcards won't works as a result of this (unless rh-specific change is made to make FF read /etc/pki/nssdb as well of course).

> We need to retest when system nss is enabled.

Sure.
Comment 4 David Jaša 2016-03-03 14:06:41 UTC 
BTW builds from Mozilla also have this bug.
Comment 5 Martin Stransky 2016-05-12 10:04:15 UTC 
Can you please test with latest FF for RHEL?
Comment 6 David Jaša 2016-05-12 10:34:08 UTC 
Not happening anymore in recent builds.
Comment 7 David Jaša 2016-05-12 10:34:50 UTC 
Not happening anymore in recent builds.
Note You need to log in before you can comment on or make changes to this bug.