Bug 456189 - seamonkey/nss FIPS mode failure, update prelink and nss
seamonkey/nss FIPS mode failure, update prelink and nss
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: prelink (Show other bugs)
4.7
All Linux
urgent Severity high
: rc
: ---
Assigned To: Kai Engert (:kaie)
desktop-bugs@redhat.com
: ZStream
Depends On:
Blocks: 491661 495936
  Show dependency treegraph
 
Reported: 2008-07-21 22:35 EDT by Ben Levenson
Modified: 2016-09-21 06:26 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 491661 (view as bug list)
Environment:
Last Closed: 2009-05-20 12:04:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for prelink in RHEL 4 (1.35 KB, patch)
2008-09-09 20:19 EDT, Kai Engert (:kaie)
no flags Details | Diff
Patch for nss in RHEL 4 (1.97 KB, patch)
2008-09-09 20:19 EDT, Kai Engert (:kaie)
no flags Details | Diff

  None (edit)
Description Ben Levenson 2008-07-21 22:35:19 EDT
Description of problem:
1- set default browser to seamonkey
2- upgrade seamonkey to 1.0.9-24.el4, (requires nss-3.11.99.5-3.el4)
3- start thunderbird
4- view an email with a https URL
5- click it

Actual results:
This document connot be displayed unless you install the Personal Security
Manager (PSM). Download and install PSM and try again, or contact your system
administrator

Version-Release number of selected component (if applicable):
nspr-4.7.0.99.2-2.el4
nss-3.11.99.5-3.el4
seamonkey-1.0.9-24.el4
seamonkey-chat-1.0.9-24.el4
seamonkey-devel-1.0.9-24.el4
seamonkey-dom-inspector-1.0.9-24.el4
seamonkey-js-debugger-1.0.9-24.el4
seamonkey-mail-1.0.9-24.el4
thunderbird-1.5.0.12-11.el4

Expected results:
https page should load

Additional info:
I can't reproduce this with evo28 & new seamonkey/nss packages
or with thunderbird and old seamonkey/seamonkey-nss packages

Additionally, clicking a URL in thunderbird with ff3 set as the default browser
does not open the link in ff3.
Comment 1 Ben Levenson 2008-07-21 22:36:56 EDT
just in case this isn't clear: the new seamonkey/nss packages work as expected
as long as the URL is not launched from thunderbird.
Comment 2 Matěj Cepl 2008-07-22 18:11:42 EDT
Actually, can reproduce even with seamonkey-1.0.9-20.el4
Comment 3 Kai Engert (:kaie) 2008-07-23 13:46:39 EDT
The last RHEL 4 seamonkey package that used an internal nspr/nss, rather than
our new system package, was version 1.0.9-16.el4

It would be interesting to test the behavior of  versions
  seamonkey-1.0.9-16.el4
and
  seamonkey-1.0.9-17.el4

If 1.0.9-16.el4 works correctly, then this regression was introduced as part of
the migration to nspr/nss system packages.
Comment 4 Kai Engert (:kaie) 2008-07-23 22:25:14 EDT
I can always reproduce this bug, it's not necessary to open the URL from
thunderbird. I simply open any https:// URL in seamonkey and get the error.

I think you had enabled FIPS mode in your browser profile, can you confirm?

I think in the past it was not possible to enable FIPS in RHEL 4 in the browser.
I just tried with old seamonkey-nss-1.0.9-16.el4.i386.rpm (from before our
switch to system nss), and I am unable to switch to FIPS mode, the seamonkey
error console gives me a failure message.

I think the reason why that didn't work in the past, we probably had a bug that
caused us to install .chk files that didn't match the installed .so files.

Now with our newer nss packages we make sure that we install matching files, and
enabling FIPS mode works.

But, unfortunately, we don't have a prelink protection in RHEL 4 :-/
I mean, prelink modifies the .so, the .chk file no longer matches the .so, and
FIPS mode fails.


I think:
- you enabled FIPS mode while the files matches
- cron started prelink
- mismatch and failure


Using our recent seamonkey packages, try to use
  mozilla -ProfileManager
and create a new profile (which has FIPS mode disabled by default).
Then open the https:// link using that profile, and it should work.

Enabling FIPS mode should fail, because we have the mismatch.


You can manually downgrade to the older packages, and then (again) update to our
recent packages. This will temporarily fix your profile that has FIPS enabled.

Run prelink (e.g. manually run /etc/cron.daily/prelink) and it will be broken again.


Unfortunately you can't disable FIPS mode while having mismatching files on your
system, because NSS won't start up in the FIPS mode that's recoded in file secmod.db

A workaround should be: Find your application profile directory
(~/.mozilla/default/...../) and delete file secmod.db - You'll have to
re-install/register any 3rd party crypto modules in that profile (which most
people probably don't do anyway)


Another test you can do to prove my theory (I did this already):
- downgrade to old seamonkey packages including seamonkey-nss
- again install the newer ones
(Now you have matching files, it should take a while until prelink gets started)
- try your original profile (which has FIPS enabled) and now it'll work
- it will be broken again as soon as prelink runs

Comment 5 Kai Engert (:kaie) 2008-07-23 22:31:44 EDT
Now you'll ask, what is the right fix to this problem?

We'd have to do something we already did in RHEL 5, which requires an update to
the "prelink" package, and another update to nss, in order to ensure that we get
updated nss files that will then be protected.

The change to prelink is minimal, at the configuration file level:
We must add 2 lines to file /etc/prelink.conf :
-b /lib{,64}/libfreebl3.so
-b /lib{,64}/libsoftokn3.so

The current version of prelink is: prelink-0.3.3-0.EL4

We must produce a prelink package with an updated version-release number, and
our updated NSS package will have to use this additional statement in the
nss.spec file:

# Only compatible with prelink when using a prelink.conf that has NSS signed
# libraries blacklisted
Conflicts: prelink <= prelink-0.3.3-0.EL4


See also bug 237350 and bug 230546
Comment 6 Kai Engert (:kaie) 2008-07-23 22:47:10 EDT
I can work on this, if you give me the approval flags.
Comment 7 Scott Haines 2008-07-24 13:39:40 EDT
Setting rhel‑4.7.z to '?' as its a critical bug fix.
Comment 8 Kai Engert (:kaie) 2008-07-24 14:19:52 EDT
Changing component to "prelink", as that is where the fix will be added (blacklist).

I'm keeping myself as bug owner, I'm happy to do this change, but I'd like to
wait for an OK from Jakub.
Comment 9 Ben Levenson 2008-07-24 14:37:19 EDT
(In reply to comment #4)
> I can always reproduce this bug, it's not necessary to open the URL from
> thunderbird. I simply open any https:// URL in seamonkey and get the error.

Interesting. I could only reproduce from thunderbird. I'll try again.
Note that my testing was done with a new profile.  I'll try again to confirm.
 
> I think you had enabled FIPS mode in your browser profile, can you confirm?

I did not change any of the default settings.
Comment 10 Kai Engert (:kaie) 2008-07-24 15:05:58 EDT
Raising priority, because affected users are unable to use the browser to
connect to secure web sites.
Comment 11 Kai Engert (:kaie) 2008-07-24 18:14:58 EDT
I had been able to reproduce Ben's problem when enabling FIPS mode.

I was never able to reproduce with FIPS mode disabled (the default).

But Ben told me he did not use FIPS mode.

This means:
- what I have described in the most recent comments might be a different issue
- I do not yet understand what causes the problem that Ben has originally reported.

Ben now gave me access to a test system, and I was able to reproduce it there.
I will have to try harder to reproduce it locally, or will have to debug on the
test system...
Comment 12 Kai Engert (:kaie) 2008-07-24 20:11:48 EDT
The bug I have found and described is separate from what Benl had reported
initially. Let's keep this bug for the new FIPS related issue.

Benl has filed his bug again, bug 456619, and we now understand that problem, too.
Comment 13 Kai Engert (:kaie) 2008-09-09 20:19:16 EDT
Created attachment 316265 [details]
Patch for prelink in RHEL 4
Comment 14 Kai Engert (:kaie) 2008-09-09 20:19:42 EDT
Created attachment 316266 [details]
Patch for nss in RHEL 4
Comment 24 Ludek Smid 2009-05-20 12:04:30 EDT
Fixed as bug #495936.

Note You need to log in before you can comment on or make changes to this bug.