Description of problem: After updating the packages listed below from version 3.12.3-4.fc11, Firefox and Thunderbird's cryptographic features stopped working. Upon opening either app, the following dialog appears: "Alert: Could not initialize the application's security component. The most likely cause is problems with files in your application's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features." The app comes up after that, but none of the crypto-related features work: SSL, client certs, stored passwords. Just a guess: I use a master password in both programs, which might be why I'm seeing this and others apparently aren't. Version-Release number of selected component (if applicable): nss i586 3.12.3.99.3-2.11.3.fc11 nss x86_64 3.12.3.99.3-2.11.3.fc11 nss-devel x86_64 3.12.3.99.3-2.11.3.fc11 nss-softokn-freebl i586 3.12.3.99.3-2.11.3.fc11 nss-softokn-freebl x86_64 3.12.3.99.3-2.11.3.fc11 nss-tools x86_64 3.12.3.99.3-2.11.3.fc11 How reproducible: Every time. I reverted the updates (and it works again), but if I install the updates again it becomes broken once more.
I can't reproduce your bug. Fedora 11 on x86_64 no nspr/nss for i386/i586 installed, only x86_64 Installed: Firefox 3.5 final, nspr 4.8, nss 3.12.3 Started Firefox, create new profile, set up master password, open https page, works fine yum update nss => 3.12.3.99.3-2.11.3.fc11 start firefox with same profile access https page works fine Can you please check all permissions of your files inside your profile directory?
Could you please use strace -f to see which file it tries to access and fails? Note, this will produce a lot of output. redirect it to a file. At the time the error message is shown, inspect the current end of the file, searching backwards, for attempts to open files and failure.
Do you run FIPS mode? (something that has be enabled manually)
I repeated the test using a fedora 11 live CD on 32 bit hardware, same results, all works for me.
I am running FIPS mode, and it's apparently what triggers this bug. I set up a new account on the same system, and I can reproduce it by setting a master password in Firefox, turning on FIPS mode, and then upgrading the nss libraries. If I try to enable FIPS mode on a new account when the updated libraries are already installed, nothing happens when I click the "Enable FIPS mode" button.
I am experiencing the same problem on multiple 32bit Fedora10 systems.
After reading the whole contents of this ticket, I did the following under 32bit Fedora10: 1) Downgraded nss-* to 3.12.2.0-5.fc10.i386 and nspr-* to 4.7.3-2.fc10.i386 After this downgrade. firefoox seemed to start normally, w/o the damned error message and the previously not-working security functions have started to work again. 2) Disabled FIPS in firefox. Verified that firefox still starts normally with security functions working. 3) yum update 'nss-*' 'nspr-*' After this partial update to the latest nss-* ans nspr-* firefox still starts w/o/any error message. 4) yum update After this full update, firefox starts normally. ****** For sure, I did not try to re-enable FIPS at this point - please feel free to perform this experiment. ****** So, it appears to me that the bug is related to FIPS enabled in firefox. Maybe to reprodue the error, you need to enable FIPS with older nss-* version installed; this is the way my firefox was before the bad nss/nspr upgrade that caused firefox's security modules failed to initialize. ****** Please raise priority of this bug as it renders at least some users with major function (e.g. firefox) unusable.
And the final test, I have tried this afrer backing up my vhole .mozilla directory: With up-to-date 32bit Fedora10, clicking on Enable FIPS does not have any effect and FIPS remains disablet even after firefox restart. [root@lin ~]# rpm -qa|egrep '^(nss|nspr)-'|sort nspr-devel-4.7.4-1.fc10.i386 nspr-4.7.4-1.fc10.i386 nss-devel-3.12.3.99.3-2.10.4.fc10.i386 nss-pkcs11-devel-3.12.3.99.3-2.10.4.fc10.i386 nss-tools-3.12.3.99.3-2.10.4.fc10.i386 nss-3.12.3.99.3-2.10.4.fc10.i386 [root@lin ~]# So, to reproduce the error message (see top of thios ticket) you probably need to: 1) Downgrade nss-* 2) Start firefox, enable FIPS, exit firefox. 3) Start firefox, verify that FIPS is enabled, exit firefox. 4) Upgrade nss-* to the latest verstion. 5) Start firefox and I hope you will see the error message. But probably this is not necessary, IMHO just making Enable FIPS working again with the latest nss-* packages will also fix the above mentoned error message. I believe in that there is now enough information here to allow the bug to be reproduced, identified and fixed. Brgds, Ed
I have the same problem TB 3 b2 and b3 on F11. So I tried to "strace -f" thunderbird... it locked X11 (not 100% CPU problem, music and Disc copy was going normally.) if I let it go after the "FIPS error prompt" ... I managed to get to a normal console and kill the strace and X11 came alive again. 99% of my POP retrieval is over SSL and with the above TB comes up not being able to do much at all. Encrypted master password here too.
I was able to reproduce this problem with nss-3.12.3.99.3-2.11.4.fc11.i586 on Fedora 11. I was able to see the problem using modutil as well by just querying to see whether FIPS was enabled. It told me that I had a bad database. I wanted to use modutil because it would be easer to trace in the debugger. At som point the problem disappeared. It turns out that using the shared database does affect the results. I normally turn on FIPS mode and make Firefox and Thunderbird share database as per instructions in https://wiki.mozilla.org/NSS_Shared_DB_Howto. Here is what I did: 0) downgraded to the previous version of nss sudo yum downgrade nss nss-debuginfo nss-devel nss-softokn-freebl \ nss-tools jss 1) Check the version I now have rpm -qa | grep ^nss | sort nss-3.12.3-4.fc11.i586 nss-debuginfo-3.12.3-4.fc11.i586 nss-devel-3.12.3-4.fc11.i586 nss_ldap-264-2.fc11.i586 nss-mdns-0.10-7.fc11.i586 nss-softokn-freebl-3.12.3-4.fc11.i586 nss-tools-3.12.3-4.fc11.i586 This is the old version that didn't cause problems 2) Make a note of the location of my Firefox directory with the nss db ls -l ~/.mozilla/firefox/{hexnumbera}.default/*.db presence of cert9.db and key4.db tells me I'm using a shared db 3) start firexox, enable FIPS, exit Firefox 4) start firefox, confirm FIPS is enabled, exit Firefox 5) Check using modudutil modutil -chkfips true -dbdir ~/.mozilla/firefox/h5dfmbvv.default/ FIPS mode enabled. 6) Upgrade to latest nss sudo yum upgrade nss nss-debuginfo nss-devel nss-softokn-freebl nss-tools jss 7) Check [emaldona@eliolaptop ~]$ rpm -qa | grep ^nss | sort nss-3.12.3.99.3-2.11.4.fc11.i586 nss-debuginfo-3.12.3.99.3-2.11.4.fc11.i586 nss-devel-3.12.3.99.3-2.11.4.fc11.i586 nss_ldap-264-2.fc11.i586 nss-mdns-0.10-7.fc11.i586 nss-softokn-freebl-3.12.3.99.3-2.11.4.fc11.i586 nss-tools-3.12.3.99.3-2.11.4.fc11.i586 This the latest ----------------------------------------- 8) Launched Firefox No problems 9) Switched to the legacy database by commenting out the line that enables sql from my ~/.bashrc Confirm grep sql ~/.bashrc #export NSS_DEFAULT_DB_TYPE="sql" 10) Logged out out and back in (not sure I need to do that) 11) Launched Firefix the problem appears exit Firefox 12) ed fips mode with modutil modutil -chkfips true -dbdir ~/.mozilla/firefox/{hexnumbers}.default/ Complains that I have a bad database Let's use shared db again 13) Removed the # from the sqll enabling line 14) Removed the cert8.db and key3.db files from my profile directory. These were created when I switched to the legacy db and I don't need them as I stated with a properly configured shared db environment to begin with. 15) Logged out and back in 16) Launched Firefox and got the prompt for my password and no error messages 17) Executing modutil -chkfips true -dbdir ~/.mozilla/firefo/{hexnumbers}.default/ gives me FIPS mode enabled. No error message.
I was able to reproduce this without Firefox or Thunderbird. Using teh legacy db just create an empty database with certutil and try to enable fips on it and it will fail. The reason is it fails is because the legacy database shared library that nss used, libnssdbm3.so, must be signed and it isn't. A fix will be coming soon.
Fix to the nss.spec file checked in and pushed to fedora-updates-testing https://admin.fedoraproject.org/updates/nss-3.12.4-2.fc11
May I expect this to appear also in updates-testing for Fedora10, or should I wait for release in updates for Fedora10? Thanks, Ed
(In reply to comment #13) I submitted nss-3.12.3.99.3-2.10.5.fc10 updates-testing for Fedora10, https://admin.fedoraproject.org/updates/nss-3.12.3.99.3-2.10.5.fc10 The build is at http://koji.fedoraproject.org/koji/buildinfo?buildID=132284
The fix for Fedora 11 is part of the NSS update to 3.12.4. You can check the build at http://koji.fedoraproject.org/koji/buildinfo?buildID=132171 which has been moved into dist-f11-updates-testing.
nss-3.12.4-2.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-9687
nss-3.12.3.99.3-2.10.6.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-9790
Fedora 10 - seems to work and for me it fixes originally reported problem with FIPS in Firefox and Thunderbird. [root@lin tmp]# yum list nss* Reading version lock configuration Installed Packages nss.i386 3.12.3.99.3-2.10.6.fc10 @updates-testing nss-devel.i386 3.12.3.99.3-2.10.6.fc10 @updates-testing nss-pkcs11-devel.i386 3.12.3.99.3-2.10.6.fc10 @updates-testing nss-tools.i386 3.12.3.99.3-2.10.6.fc10 @updates-testing nss_compat_ossl.i386 0.9.5-3.fc10 installed nss_db.i386 2.2-43.fc10 installed nss_ldap.i386 264-1.fc10 installed [root@lin tmp]#
nss-3.12.3.99.3-2.10.6.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.