← Back to team overview

openjdk team mailing list archive

[Bug 580982] [NEW] SunPKCS11 provider auto enabled NSS problem

 

Public bug reported:

There is a problem with OpenJDK latest version inside Ubuntu 10.04. The
NSS provider is now enabled by default, breaking the applications using
the Firefox certificate database, since it is not possible to unload the
provider once it is already loaded. Applications using JSS are also
broken.

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473

Currently we are advising our end user customers to remove OpenJDK and install Sun Java as a workaround.
Alternative is to remove the provider from security.policy, but it is not possible without a root.

The reason for auto enabled NSS patch inside Icedtea was to add support
for ECC algorithms (Elliptic curve cryptograph) so unit tests would
pass. But it is possible add provider inside code providing such
algorithms in rare case you need it. However for Keystore support there
is no alternative with nss enabled patch
(http://icedtea.classpath.org/hg/icedtea6/file/756cd53fa326/patches
/icedtea-nss-config.patch).

** Affects: openjdk-6 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: jss nss sunpkcs11

-- 
SunPKCS11 provider auto enabled NSS problem
https://bugs.launchpad.net/bugs/580982
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in “openjdk-6” package in Ubuntu: New

Bug description:
There is a problem with OpenJDK latest version inside Ubuntu 10.04. The NSS provider is now enabled by default, breaking the applications using the Firefox certificate database, since it is not possible to unload the provider once it is already loaded. Applications using JSS are also broken.

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473

Currently we are advising our end user customers to remove OpenJDK and install Sun Java as a workaround.
Alternative is to remove the provider from security.policy, but it is not possible without a root.

The reason for auto enabled NSS patch inside Icedtea was to add support for ECC algorithms (Elliptic curve cryptograph) so unit tests would pass. But it is possible add provider inside code providing such algorithms in rare case you need it. However for Keystore support there is no alternative with nss enabled patch (http://icedtea.classpath.org/hg/icedtea6/file/756cd53fa326/patches/icedtea-nss-config.patch).





Follow ups

References