Bug 173537 - Can not enable FIPS mode, mozilla-nss is missing file libsoftokn3.chk
Summary: Can not enable FIPS mode, mozilla-nss is missing file libsoftokn3.chk
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: firefox   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Christopher Aillon
QA Contact:
Keywords: Desktop
Depends On:
TreeView+ depends on / blocked
Reported: 2005-11-18 00:02 UTC by Kai Engert (:kaie) (inactive account)
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-10 18:46:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch v1 (5.47 KB, patch)
2006-02-22 14:58 UTC, Kai Engert (:kaie) (inactive account)
no flags Details | Diff

Description Kai Engert (:kaie) (inactive account) 2005-11-18 00:02:37 UTC
Description of problem:
Mozilla Firefox' internal crypto system can operate in two different modes. The
standard mode, and a FIPS mode.

Version-Release number of selected component (if applicable):
Wan-Teh saw this problem on RHEL 4, I don't know which version of Firefox he used.
However, this bug might be present on a variety of software versions, with
Firefox 1.0.7 installed on FC3 I can reproduce the problem, too.

Steps to Reproduce:
Start Firefox
Open Edit / Preferences, open Privacy, Saved Passwords, click Set Master Password.
Set a password
With the preferences still open, go to Advanced, Certificates, click "manage
security devices", in the window that shows up click "enable FIPS".

Actual results:
Nothing happens when you click the "enable FIPS" button.

Expected results:
The button changes its text to "Disable FIPS", the button changes to disabled
(FYI because you'll have to restart before you can switch it back on), and on
the left you should see the text "NSS Internal FIPS PKCS #11 Module".

Additional info:
Package mozilla-nss include and install file /usr/lib/libsoftokn3.chk alongside

Comment 1 Wan-Teh Chang 2005-11-18 00:29:48 UTC
The fix is to make sure that for everyone copy of
libsoftokn3.so, there is a libsoftokn3.chk file in
the same directory.  We need to find out why the
mozilla-nss package doesn't install libsoftokn3.chk
in /usr/lib alongside libsoftokn3.so.

Comment 2 Kai Engert (:kaie) (inactive account) 2005-12-27 16:03:41 UTC
The packaging list files do not mention libsoftokn3.chk, that's why it's not
being included.

The .src.rpm contains a patch file mozilla-nspr-packages.patch, which does list
libsoftokn3.so - we should add a .chk line to that patch.

Wan-Teh, you have requested to fix this in RHEL 4.

Do you agree we should fix it in RHEL 3, too?
(RHEL 3 uses Mozilla 1.7.10 - I assume the NSS version included there requires
the chk file, too.)

Comment 3 Wan-Teh Chang 2006-01-04 00:12:26 UTC
We should fix it in RHEL 3, too, but with a lower priority.
(The NSS version in Mozilla 1.7.10 also needs the .chk file.)
Depending on the policy for RHEL 3 updates, the priority of
this bug may not be high enough to be included in a RHEL 3

Comment 4 Kai Engert (:kaie) (inactive account) 2006-02-22 14:46:34 UTC
RHEL Update Criteria

This is a bug fix. As of today, users of RHEL 3 and RHEL 4 are not able to use
Mozilla in deployments that require the FIPS security mode (like in US
government deployments).

The fix is to include one additional file, created during the build process
already, in the RPM package. This is simple and risk free.

Comment 5 Kai Engert (:kaie) (inactive account) 2006-02-22 14:48:51 UTC
Proposing inclusion in RHEL 4 U4 and RHEL 3 U8.

Comment 6 Kai Engert (:kaie) (inactive account) 2006-02-22 14:52:24 UTC
I tested that adding a line
next to line
in file
by extending patch
fixes the problem and the resulting RPM contains the missing file.

Comment 7 Kai Engert (:kaie) (inactive account) 2006-02-22 14:58:15 UTC
Created attachment 125034 [details]
Patch v1

Chris, this patch could be applied to cvs.devel/dist/mozilla
It fixes FC-4, devel, RHEL-4 and RHEL-3,
it adds the chk file entry to the existing patch file.

Comment 11 Kai Engert (:kaie) (inactive account) 2006-08-10 18:46:34 UTC
Looking at the firefox rpm file from the RHEL 4 Update 4 release, I believe this
bug should be fixed now.

$ rpm -qlp firefox- | grep libsoft

Maybe somebody with access to a RHEL 4 machine could verify this is fixed?

Comment 12 Kai Engert (:kaie) (inactive account) 2006-08-10 18:49:27 UTC
Looking at the seamonkey rpm file from the RHEL 3 Update 8 release, I believe
this bug should be fixed there as well.

$ rpm -qlp seamonkey-nss-1.0.1-0.1.9.EL3.i386.rpm |grep libsoft

Note You need to log in before you can comment on or make changes to this bug.