Bug 1557015 - Firefox hangs when coolkey card is removed and re-inserted [rhel-7.6]
Summary: Firefox hangs when coolkey card is removed and re-inserted [rhel-7.6]
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Roshni
Mirek Jahoda
: 1566832 (view as bug list)
Depends On:
Blocks: 1564458
TreeView+ depends on / blocked
Reported: 2018-03-15 18:52 UTC by Roshni
Modified: 2021-12-10 15:48 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
*Firefox* and other applications using *NSS* become unresponsive when a smart card is inserted The *Network Security Services* (NSS) libraries incorrectly handle smart card insertion events and states of such events. Consequently, the *Firefox* browser and other applications using *NSS* in the Gnome Display Manager (GDM) do not reliably detect the card insertion state and become unresponsive while requesting to wait for slot events. To work around this problem, do not update the _nss_ packages to version 3.34 and wait for the upstream version 3.36. The smart cards work correctly with the previous *NSS* version.
Clone Of:
: 1564458 (view as bug list)
Last Closed: 2018-11-09 14:45:49 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1447628 0 -- RESOLVED Firefox freezes since 2018-01-23 Nightly, after loading PKCS#11 module 2020-10-20 13:20:30 UTC

Description Roshni 2018-03-15 18:52:38 UTC
Description of problem:
Firefox hangs when coolkey card is removed and re-inserted

Version-Release number of selected component (if applicable):
[root@dhcp129-188 ~]# rpm -q opensc
[root@dhcp129-188 ~]# rpm -q firefox

How reproducible:

Steps to Reproduce:
1. Insert a coolkey card and perform an SSL auth to a webpage using the signing cert on the card
2. Remove the card
3. Re-insert the card and refresh the page

Actual results:
Firefox hangs

Expected results:

Additional info:

Comment 2 Jakub Jelen 2018-03-16 13:35:52 UTC
Also note, that does not hang for all the cards, but for just some (Gemalto), that probably miss the random number generator or are just slower, but the code assumes that it will always work (SafeNet for example).

Or the card, just after insertion, does not correctly answer on all the commands (until the initialization or something is completed). Clearly, there is some bug.

I forgot to copy the logs from the machine where we tested yesterday. Can you attach the logs to this bug? Or ideally have a once more reproducing session, since there might be some more things that I would like to try, but I had to run yesterday.

Comment 3 Jakub Jelen 2018-03-19 15:28:29 UTC
Can you verify the NSS version you are using on that system is the one that was used before and is not updated by any Z-streams?

We see similar issues with Nightly/Developer version of Firefox, but I can not reproduce it with the current version Firefox version available in Fedora [1].

[1] https://github.com/OpenSC/OpenSC/issues/1278#issuecomment-373774509

Comment 4 Roshni 2018-03-19 15:42:06 UTC
I have been updating my client using the RHEL 7.5 nightly and right now using 

[root@dhcp129-188 ~]# rpm -q nss
[root@dhcp129-188 ~]# rpm -q firefox

Comment 6 Roshni 2018-03-20 20:05:22 UTC
I tried with the latest updates to 7.4z 

[root@dhcp129-77 ~]# rpm -q opensc
[root@dhcp129-77 ~]# rpm -q opensc
[root@dhcp129-77 ~]# rpm -q firefox
[root@dhcp129-77 ~]# rpm -q nss

where I am seeing the issue. Using the builds under http://download.eng.rdu2.redhat.com/released/RHEL-7/7.4/Client/x86_64/os/ I was not able to reproduce.

Coolkey with firefox is showing the same issue in RHEL 7.5 but not consistent.

Comment 7 Jakub Jelen 2018-03-21 12:54:12 UTC
It looks like this is related to some of the changes in NSS, that were recently merged in RHEL7 branches and that went also to the upstream.

I will reassign the bug to NSS. This needs to be resolved before the NSS releases will go out.

For more information and reproducer, see the upstream bug:


Comment 8 Kai Engert (:kaie) (inactive account) 2018-03-21 13:05:21 UTC
(In reply to Jakub Jelen from comment #7)
> I will reassign the bug to NSS. This needs to be resolved before the NSS
> releases will go out.

I assume you mean "go out for Firefox 60 in RHEL 7.5.z in May 2018"?

Is this a regression? Then please add the regression keyword to the bug.

Who has the ability to debug and analyze this bug?

Comment 17 Jakub Jelen 2018-03-21 15:06:14 UTC
Well, your reproducer looked a bit different, but I assume it is the same issue -- happens after the card is recognized, either as a new card or as a reainsertion.
We assume this bug is present in Beta from your testing, but the question now is if this was here before Beta. I mean with packages from RHEL7.4.Z only, if you have a simple way to downgrade firefox and NSS to the following versions:


Comment 18 Roshni 2018-03-21 15:28:29 UTC
Using the following builds on RHEL 7.4z I am not able to reproduce the issue you have described in the upstream bug. But I could see the issue in this bug inconsistently with these builds.

[root@dhcp129-77 ~]# rpm -q firefox
[root@dhcp129-77 ~]# rpm -q nss

Comment 25 Jakub Jelen 2018-04-13 07:33:16 UTC
FYI, this looks like it is affecting also other applications using NSS, such as GDM:


This should have been documented as a known issue so customers and CEE are aware of this issue until it gets fixed. Mirek, what do you think? The z-stream bug is already verified, but GA has this bug. Should I draft some "Known Issue" doc text?

Comment 29 Kai Engert (:kaie) (inactive account) 2018-04-13 12:28:04 UTC
*** Bug 1566832 has been marked as a duplicate of this bug. ***

Comment 35 Roshni 2018-09-27 22:03:05 UTC
[root@dhcp129-188 nssdb]# rpm -q nss
[root@dhcp129-188 nssdb]# rpm -q firefox
[root@dhcp129-188 nssdb]# rpm -q opensc

Using the above builds I am not able to reproduce the issue on RHEL 7.6. Please let me know if you want me to close this bug, since this bug is on NEED_INFO.

Note You need to log in before you can comment on or make changes to this bug.