Red Hat Bugzilla – Bug 173537
Can not enable FIPS mode, mozilla-nss is missing file libsoftokn3.chk
Last modified: 2007-11-30 17:07:21 EST
Description of problem:
Mozilla Firefox' internal crypto system can operate in two different modes. The
standard mode, and a FIPS mode.
Version-Release number of selected component (if applicable):
Wan-Teh saw this problem on RHEL 4, I don't know which version of Firefox he used.
However, this bug might be present on a variety of software versions, with
Firefox 1.0.7 installed on FC3 I can reproduce the problem, too.
Steps to Reproduce:
Open Edit / Preferences, open Privacy, Saved Passwords, click Set Master Password.
Set a password
With the preferences still open, go to Advanced, Certificates, click "manage
security devices", in the window that shows up click "enable FIPS".
Nothing happens when you click the "enable FIPS" button.
The button changes its text to "Disable FIPS", the button changes to disabled
(FYI because you'll have to restart before you can switch it back on), and on
the left you should see the text "NSS Internal FIPS PKCS #11 Module".
Package mozilla-nss include and install file /usr/lib/libsoftokn3.chk alongside
The fix is to make sure that for everyone copy of
libsoftokn3.so, there is a libsoftokn3.chk file in
the same directory. We need to find out why the
mozilla-nss package doesn't install libsoftokn3.chk
in /usr/lib alongside libsoftokn3.so.
The packaging list files do not mention libsoftokn3.chk, that's why it's not
The .src.rpm contains a patch file mozilla-nspr-packages.patch, which does list
libsoftokn3.so - we should add a .chk line to that patch.
Wan-Teh, you have requested to fix this in RHEL 4.
Do you agree we should fix it in RHEL 3, too?
(RHEL 3 uses Mozilla 1.7.10 - I assume the NSS version included there requires
the chk file, too.)
We should fix it in RHEL 3, too, but with a lower priority.
(The NSS version in Mozilla 1.7.10 also needs the .chk file.)
Depending on the policy for RHEL 3 updates, the priority of
this bug may not be high enough to be included in a RHEL 3
RHEL Update Criteria
This is a bug fix. As of today, users of RHEL 3 and RHEL 4 are not able to use
Mozilla in deployments that require the FIPS security mode (like in US
The fix is to include one additional file, created during the build process
already, in the RPM package. This is simple and risk free.
Proposing inclusion in RHEL 4 U4 and RHEL 3 U8.
I tested that adding a line
next to line
by extending patch
fixes the problem and the resulting RPM contains the missing file.
Created attachment 125034 [details]
Chris, this patch could be applied to cvs.devel/dist/mozilla
It fixes FC-4, devel, RHEL-4 and RHEL-3,
it adds the chk file entry to the existing patch file.
Looking at the firefox rpm file from the RHEL 4 Update 4 release, I believe this
bug should be fixed now.
$ rpm -qlp firefox-18.104.22.168-0.2.EL4.i386.rpm | grep libsoft
Maybe somebody with access to a RHEL 4 machine could verify this is fixed?
Looking at the seamonkey rpm file from the RHEL 3 Update 8 release, I believe
this bug should be fixed there as well.
$ rpm -qlp seamonkey-nss-1.0.1-0.1.9.EL3.i386.rpm |grep libsoft