[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6811) Patch - Mozilla NSS - disable pkcs11 fork checking for the software token

rmeggins@redhat.com wrote:
> Full_Name: Rich Megginson
> Version: 2.4.23 (current CVS HEAD)
> URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-moznss-disable-nofork-20110127.patch
> Submission from: (NULL) (
> There are some applications that acquire a crypto context in the parent process
> and expect that crypto context to work after a fork().  This does not work
> with MozNSS using strict PKCS11 compliance mode.  We set the environment
> variable NSS_STRICT_NOFORK=DISABLED in tlsm_init() to tell the software
> encryption module/token to allow crypto contexts to persist across a fork().
> However, if you are using some other module or encryption device that supports
> and expects full PKCS11 semantics, the only recourse is to modify the
> application to use atfork() handlers to save the crypto context in the parent
> and restore (and SECMOD_RestartModules) the context in the child.

Sounds like this is a followon to #6802. Is this really critical at this 
point? We really need to close the window on RE24 patches so we can actually 
cut a release. But if ITS#6802 is actually incomplete, I guess we should roll 
this in.

> These patch files are derived from OpenLDAP Software. All of the
> modifications to OpenLDAP Software represented in the following
> patch(es) were developed by Red Hat. Red Hat has not assigned rights
> and/or interest in this work to any party. I, Rich Megginson am
> authorized by Red Hat, my employer, to release this work under the
> following terms.
> Red Hat hereby place the following modifications to OpenLDAP Software
> (and only these modifications) into the public domain. Hence, these
> modifications may be freely used and/or redistributed for any purpose
> with or without attribution and/or other notice.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/