← Back to team overview

openjdk team mailing list archive

  1. openjdk team
  2. Mailing list archive
  3. Message #03819

[Bug 580982] Re: SunPKCS11 provider auto enabled NSS problem

  Thread PreviousDate PreviousThread Next 
This bug also affects me.

I'm also trying to access the Firefox key store from Java and cannot do
that.

I don't see why it's so hard to load NSS by yourself. I think that the
provider should be removed from the java provider security file since it
completely breaks all Java NSS implementations that do not just want
access to the Crypto features of NSS (any FIPS or keystore operations
require NSS to be loaded differently than the nssDbMode = noDb included
in /etc/java-6-openjdk/security/nss.cfg)

Perhaps the config file located (by default) at
/etc/java-6-openjdk/security/nss.cfg could be left there and the line
"security.provider.9=sun.security.pkcs11.SunPKCS11
${java.home}/lib/security/nss.cfg" could be commented out by default.

-- 
SunPKCS11 provider auto enabled NSS problem
https://bugs.launchpad.net/bugs/580982
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in “openjdk-6” package in Ubuntu: New

Bug description:
There is a problem with OpenJDK latest version inside Ubuntu 10.04. The NSS provider is now enabled by default, breaking the applications using the Firefox certificate database, since it is not possible to unload the provider once it is already loaded. Applications using JSS are also broken.

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473

Currently we are advising our end user customers to remove OpenJDK and install Sun Java as a workaround.
Alternative is to remove the provider from security.policy, but it is not possible without a root.

The reason for auto enabled NSS patch inside Icedtea was to add support for ECC algorithms (Elliptic curve cryptograph) so unit tests would pass. But it is possible add provider inside code providing such algorithms in rare case you need it. However for Keystore support there is no alternative with nss enabled patch (http://icedtea.classpath.org/hg/icedtea6/file/756cd53fa326/patches/icedtea-nss-config.patch).

References

  Thread PreviousDate PreviousThread Next