Also note, that does not hang for all the cards, but for just some (Gemalto), that probably miss the random number generator or are just slower, but the code assumes that it will always work (SafeNet for example).

Or the card, just after insertion, does not correctly answer on all the commands (until the initialization or something is completed). Clearly, there is some bug.

I forgot to copy the logs from the machine where we tested yesterday. Can you attach the logs to this bug? Or ideally have a once more reproducing session, since there might be some more things that I would like to try, but I had to run yesterday.

Can you verify the NSS version you are using on that system is the one that was used before and is not updated by any Z-streams?

We see similar issues with Nightly/Developer version of Firefox, but I can not reproduce it with the current version Firefox version available in Fedora [1].

[1] https://github.com/OpenSC/OpenSC/issues/1278#issuecomment-373774509

I have been updating my client using the RHEL 7.5 nightly and right now using 

[root@dhcp129-188 ~]# rpm -q nss
nss-3.34.0-4.el7.x86_64
[root@dhcp129-188 ~]# rpm -q firefox
firefox-52.6.0-1.el7_4.x86_64

I tried with the latest updates to 7.4z 

[root@dhcp129-77 ~]# rpm -q opensc
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64
[root@dhcp129-77 ~]# rpm -q opensc
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64
[root@dhcp129-77 ~]# rpm -q firefox
firefox-52.7.2-1.el7_4.x86_64
[root@dhcp129-77 ~]# rpm -q nss
nss-3.28.4-15.el7_4.x86_64

where I am seeing the issue. Using the builds under http://download.eng.rdu2.redhat.com/released/RHEL-7/7.4/Client/x86_64/os/ I was not able to reproduce.

Coolkey with firefox is showing the same issue in RHEL 7.5 but not consistent.

It looks like this is related to some of the changes in NSS, that were recently merged in RHEL7 branches and that went also to the upstream.

I will reassign the bug to NSS. This needs to be resolved before the NSS releases will go out.

For more information and reproducer, see the upstream bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=1447628

(In reply to Jakub Jelen from comment #7)
> I will reassign the bug to NSS. This needs to be resolved before the NSS
> releases will go out.

I assume you mean "go out for Firefox 60 in RHEL 7.5.z in May 2018"?

Is this a regression? Then please add the regression keyword to the bug.

Who has the ability to debug and analyze this bug?

Well, your reproducer looked a bit different, but I assume it is the same issue -- happens after the card is recognized, either as a new card or as a reainsertion.
We assume this bug is present in Beta from your testing, but the question now is if this was here before Beta. I mean with packages from RHEL7.4.Z only, if you have a simple way to downgrade firefox and NSS to the following versions:

firefox-52.7.2-1.el7_4.x86_64
nss-3.28.4-15.el7_4.x86_64

Using the following builds on RHEL 7.4z I am not able to reproduce the issue you have described in the upstream bug. But I could see the issue in this bug inconsistently with these builds.

[root@dhcp129-77 ~]# rpm -q firefox
firefox-52.7.2-1.el7_4.x86_64
[root@dhcp129-77 ~]# rpm -q nss
nss-3.28.4-15.el7_4.x86_64

FYI, this looks like it is affecting also other applications using NSS, such as GDM:

https://bugzilla.redhat.com/show_bug.cgi?id=1566675

This should have been documented as a known issue so customers and CEE are aware of this issue until it gets fixed. Mirek, what do you think? The z-stream bug is already verified, but GA has this bug. Should I draft some "Known Issue" doc text?

*** Bug 1566832 has been marked as a duplicate of this bug. ***

[root@dhcp129-188 nssdb]# rpm -q nss
nss-3.36.0-7.el7_5.x86_64
[root@dhcp129-188 nssdb]# rpm -q firefox
firefox-60.2.1-1.el7_5.x86_64
[root@dhcp129-188 nssdb]# rpm -q opensc
opensc-0.16.0-10.20170227git777e2a3.el7.x86_64

Using the above builds I am not able to reproduce the issue on RHEL 7.6. Please let me know if you want me to close this bug, since this bug is on NEED_INFO.