Description of problem: Mozilla Firefox' internal crypto system can operate in two different modes. The standard mode, and a FIPS mode. Version-Release number of selected component (if applicable): Wan-Teh saw this problem on RHEL 4, I don't know which version of Firefox he used. However, this bug might be present on a variety of software versions, with Firefox 1.0.7 installed on FC3 I can reproduce the problem, too. Steps to Reproduce: Start Firefox Open Edit / Preferences, open Privacy, Saved Passwords, click Set Master Password. Set a password With the preferences still open, go to Advanced, Certificates, click "manage security devices", in the window that shows up click "enable FIPS". Actual results: Nothing happens when you click the "enable FIPS" button. Expected results: The button changes its text to "Disable FIPS", the button changes to disabled (FYI because you'll have to restart before you can switch it back on), and on the left you should see the text "NSS Internal FIPS PKCS #11 Module". Additional info: Package mozilla-nss include and install file /usr/lib/libsoftokn3.chk alongside libsoftokn3.so.
The fix is to make sure that for everyone copy of libsoftokn3.so, there is a libsoftokn3.chk file in the same directory. We need to find out why the mozilla-nss package doesn't install libsoftokn3.chk in /usr/lib alongside libsoftokn3.so.
The packaging list files do not mention libsoftokn3.chk, that's why it's not being included. The .src.rpm contains a patch file mozilla-nspr-packages.patch, which does list libsoftokn3.so - we should add a .chk line to that patch. Wan-Teh, you have requested to fix this in RHEL 4. Do you agree we should fix it in RHEL 3, too? (RHEL 3 uses Mozilla 1.7.10 - I assume the NSS version included there requires the chk file, too.)
We should fix it in RHEL 3, too, but with a lower priority. (The NSS version in Mozilla 1.7.10 also needs the .chk file.) Depending on the policy for RHEL 3 updates, the priority of this bug may not be high enough to be included in a RHEL 3 update.
RHEL Update Criteria This is a bug fix. As of today, users of RHEL 3 and RHEL 4 are not able to use Mozilla in deployments that require the FIPS security mode (like in US government deployments). The fix is to include one additional file, created during the build process already, in the RPM package. This is simple and risk free.
Proposing inclusion in RHEL 4 U4 and RHEL 3 U8.
I tested that adding a line bin/libsoftokn3.chk next to line bin/libsoftokn3.so in file mozilla/xpinstall/packager/packages-unix by extending patch mozilla-nspr-packages.patch fixes the problem and the resulting RPM contains the missing file.
Created attachment 125034 [details] Patch v1 Chris, this patch could be applied to cvs.devel/dist/mozilla It fixes FC-4, devel, RHEL-4 and RHEL-3, it adds the chk file entry to the existing patch file.
Looking at the firefox rpm file from the RHEL 4 Update 4 release, I believe this bug should be fixed now. $ rpm -qlp firefox-1.5.0.3-0.2.EL4.i386.rpm | grep libsoft /usr/lib/firefox-1.5.0.3/libsoftokn3.chk /usr/lib/firefox-1.5.0.3/libsoftokn3.so Maybe somebody with access to a RHEL 4 machine could verify this is fixed?
Looking at the seamonkey rpm file from the RHEL 3 Update 8 release, I believe this bug should be fixed there as well. $ rpm -qlp seamonkey-nss-1.0.1-0.1.9.EL3.i386.rpm |grep libsoft /usr/lib/libsoftokn3.chk /usr/lib/libsoftokn3.so