Hide Forgot
Currently, the only way to handle context reuse after fork() in applications is to set the NSS_STRICT_NOFORK=DISABLED environment variable. It would be useful to have an alternative method, possibly as a system wide setting, so that this behavior can be set as default without depending on environment variables, which could be wiped out easily (for example using execve in an ancestor process) Having a system wide setting, that causes nss to log something when the contexts not reinitialized after a fork() would help to identify misbehaving applications/libraries without having them break in the common case where a hardware token is not being used, allowing for a smoother transition.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
What is the actual use-case of this? As far as I understand it this is to enforce C_Initialize() after fork() as suggested in the PKCS #11 standard. If this is causing problem, that means the caller (NSS) is not behaving courteously.
This is a very old bug, I think uses that were affected has been discontinued, so I am going to close this bug at this point.
There is also a way of handling things after a fork. If you set an @fork handler and call: SECMOD_RestartModules(PR_FALSE); This does a C_Shutdown and C_Initialize on all the modules that 'need' restarting (NSS tries calling C_GetSlotList to see if the module needs restarting). It's safe to call multiple times and only does a restart if the module needs restarting. If the module does need restarting, all the key and cert handles are invalidated. Anyway PKCS #11 3.0 has an optional fork safe interface which we can start using once it's approved.