Closed Bug 125561 Opened 23 years ago Closed 22 years ago

Switching profile in turbo mode didn't update certificate

Categories

(Core Graveyard :: Security: UI, defect, P2)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.2

People

(Reporter: alam, Assigned: KaiE)

References

Details

(Keywords: relnote, topembed+, Whiteboard: [adt2 RTM] [multi-profile])

Attachments

(1 obsolete file) 

Build: 20020216 commercial trunk.

Step to reproduce:

1. Start mozilla in turbo mode.
2. Double click on the QuickLaunch icon in the system tray.
3. Profile manager dialog pop up. Choose different profile, and launch mozilla
4. Go to Edit|Preference|Privacy & Security|Certificate, and click on "Manage 
Certificates..." button.

Actual: 
The "Your Certificates" and "Other People's" tab still show the certificates 
from the previous user profile

Expected:
The "Your Certificates" and "Other People's" tab should show the certificates 
for the current switch user profile.
Changing component; hope that's the right one.

Conrad, any insights on what's happening here?
Assignee: law → mstoltz
Component: QuickLaunch (AKA turbo mode) → Security: General
Keywords: nsbeta1
QA Contact: gbush → bsharma
Bill: Please send all certificate/SSL bugs to the PSM product.
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: bsharma → junruh
Version: other → 2.2
Kai
Assignee: ssaux → kaie
Keywords: nsbeta1nsbeta1+
Priority: -- → P2
Target Milestone: --- → 2.2
Keywords: nsbeta1+nsbeta1-
*** Bug 133292 has been marked as a duplicate of this bug. ***
I'd like to see this bug be nsbeta1+. I feel that this is a major bug. 
With turbo on, switching from a profile without personal certs to a profile 
where you expect to send signed/encrypted email fails to send the email.
Keywords: nsenterprise
It would be good, but I'd like to fix all the single profile bugs that affect
s/mime first. Then if we have time we'll look into multi-profile bugs.  Few
people use multiple profiles.  We can relnote it for beta and fix it soon afterward.
Depends on: 133584
This bug apparently is also to blame for the persistence of cert passwords when
I exit and relaunch the browser under Turbo (so says Terry Hayes).  In this
case, it doesn't have to do with multiple profiles.
relnote
Keywords: relnote
Blocks: 108795
removing minus for re-triage.  I understand and agree with the prioritization of
bugs with higher impact, but that is what ADT[1-3] are for. QuickLaunch is one
of the most important MachV features, is enabled by default, and we are still
trying to fix the other multi-profile bugs.  At this point, any bug that we need
to fix for the release should have nsbeta1+, the nsbeta1- bugs should be assumed
to be cut for release, not just beta.  If there is a resource constraint, would
it be possible for use to get this reassigned, or get someone to help on it?
Keywords: nsbeta1-nsbeta1
Peter,

Bob Relyea is working on the underlying NSS bug (bug 133584)
this week.  We intend to track down and fix the NSS bug this
week.  Then, Kai would test the NSS fix and see whether that
alone would fix this bug or more work is needed.
Relnote: If you are using more than one profile, and sending signed and/or 
encrypted email, or visit a web site requiring your personal certificate, you 
should disable the Quick Launch feature.
No, that is unacceptable. We cannot enable by default, then expect users who do
these things to take action based on a release note.  If we are unable to fix
this bug, we will have to consider how to automatically disable QuickLaunch in
the common affected scenarios.  Can we get a plus and ADT2 on this?
A problem that may contribute to this bug is that PSM
is not calling SSL_ClearSessionCache before switching
profiles (bug 137154).
Depends on: 137154
adt2 and nsbeta1+ since that's what required for RTM.
Keywords: nsbeta1nsbeta1+
Whiteboard: [adt2]
I believe that the NSS resources that are still leaking after applying the
patches on bugs 133584 and 137154 are happening because it's possible for the
socket to never be closed before we try to reinitialize NSS.  This can happen
if, for example, the socket remains open for http keepalive.

Darin, I think we need a way to ensure that all outstanding socket connections
are closed before NSS is reinitialized for the new profile.  We shut down NSS on
the PROFILE_BEFORE_CHANGE message, I _think_ this needs to happen before that. 
One place we could do it at is when the SESSION_LOGOUT message arrives (via
nsIObserver).  Any ideas on this?

See bug 104020 and bug 104021 where network shutdown before profile switching
had been implemented, maybe that no longer works correctly?
Conrad suggested to test whether the code to shutdown the network is reached in
nsIOService::Observe, kProfileChangeNetTeardownTopic. It is reached, and the
actions inside SetOffline do succeed.

Are we sure the network teardown is really synchronous?

It appears that the SocketTransportService is not shutting down correctly.  When
Shutdown() is called, mSelectFDSetCount = 1, but mActiveTransportList[0] is
null. So, while I'm pretty sure there is a lingering nsSocketTransport, the
SocketTransportService doesn't know about it for some reason.
Attached patch patch to nsHttpHandler (obsolete) — Splinter Review 
Darin and I discovered that http's keepalive socket list was not being closed
down, thus causing NSS objects associated with the socket to be leaked.  With
this patch applied, plus kaie's patch from bug 137154, and relyea's NSS patch
from bug 133584, I can do basic SSL, switch profiles, and have NSS reinitialize
correctly.
Comment on attachment 79878 [details] [diff] [review]
patch to nsHttpHandler

sr=darin
Attachment #79878 - Flags: superreview+
Yaaay! Thanks for tracking that down.
ccarlen, can you r= this?

this has impact for embedding customers doing profile switching.
Keywords: topembed+
Comment on attachment 79878 [details] [diff] [review]
patch to nsHttpHandler

r=ccarlen
Attachment #79878 - Flags: review+
I've checked in this latest patch on the trunk.  Leaving the bug open, since the
problem will remain until the patch for bug 133584 is checked in.

Note that my patch in bug 129067 contains a fix for a leak I found in PSM.
But there still seem to be leaks in PSM.

File nsCertTree.cpp:
@@ -500,7 +505,7 @@
       _retval.SetCapacity(0);
     return NS_OK;
   }
-  nsCOMPtr<nsIX509Cert> cert = GetCertAtIndex(row);
+  nsCOMPtr<nsIX509Cert> cert = dont_AddRef(GetCertAtIndex(row));
   if (cert == nsnull) return NS_ERROR_FAILURE;
   char *str = NULL;
   PRUnichar *wstr = NULL;

Bob, the current plan is to exit the application, if NSS detects a non-clean
environment.

While you can detect that inside NSS_Shutdown (I think), you don't currently
return a failure code.

However, I see that the NSS init methods are failing after an unclean shutdown.

Bob, do you agree that we should make the exit decision based on the exit status
of NSS init functions?

Bob, actually it were better, if I were to able to explicitly find out at
runtime, whether the re-init is really caused by your decision to reject the
re-initialize.

Currently, we already have some logic in PSM, that will show failure messages to
the user, in case security can not be initialized. Possible reasons include a
read-only profile directory.

Currently, when we detect a failure, we display a general error message about
the failure to initialize security.

But if we want to implement some automatic restart mechanism, that only becomes
active in the scenario of a broken internal state, we need to be able to
differentiate that from other failures.

Could you return a specific return code from the init functions, or are you
already doing so?
Depends on: 139325
Wan-Teh and I have already discussed this. My only issue was the worry about
backward binary compatibility with previous versions of NSS. I don't think
that's a problem, so we can return a error status on shutdown for you.

Error codes on init: I'll have to check to see what NSS error we map
"CK_MODULE_ALREADY_INITIALIZED" to. It's probably too generic, but I don't think
it would be too difficult to add a new NSS error code and have the
MODULE_ALREADY_INITIALIZED error to map to it. You couldn't distiguish which
module was already initialized (for instance you couldn't tell if it was a smart
card or the built-ins token complaining), but the remedy is the same for either
situation.

bob
Depends on: 139349
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Bug 139325 and bug 139349 have been verified to fix this bug as well.
Verified
Status: RESOLVED → VERIFIED
Are we really sure this is fixed?

Are we no longer able to reproduce this bug, regardless how much we use SSL/ SSL
client auth / certificate manager, S/Mime / etc. in a session?
Bug reopened.  I have only verified that switching back and forth between
multiple profiles for secure mail operations now behaves as desired.

This is effectively an umbrella bug.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
This will only be fixed when the dependent NSS patch has landed.  That has not
happened yet, as far as I can tell.
nominating for branch checkin.
Keywords: adt1.0.0
ADT: I'm requesting branch checkin for the patch on this bug.  Note that this
isn't a complete fix for the problem, that will only happen when bug 133584 is
landed.

Comment on attachment 79878 [details] [diff] [review]
patch to nsHttpHandler

a=asa (on behalf of drivers) for checkin to the 1.0 branch
Attachment #79878 - Flags: approval+
The fix may have caused bug 140176.
As a followup to comment #38, I would recommend that this patch not be applied
to the Branch.
To refine my earlier comment, which was rather harsh (I wrote it while in the
middle of two critical application problems at work).

Until someone can backout this patch from the Trunk, and test to see if it does
(or doesn't) cause Bug # 140176, I would suggest that applying this patch to the
Branch would, IMHO, not be a good idea.

The reason I agree that this may be related to Bug # 140176 is mainly due to
comment #19 about "Keep Alive".
Whiteboard: [adt2] → [adt2] [multi-profile]
topembed- per EDT since turbo mode is not an embedding thing.  Please renominate
as topembed if you disagree.
Keywords: topembed+topembed-
Renominating. Turbo mode is not for embedding, but switching profiles is. The
fact that turbo also switches profiles has no bearing on embedding.
Keywords: topembed-topembed+
Let's review this one in the RTM timeframe. adt1.0.0- [adt2 RTM]

Can someone explain why a turbo bug is topembed+?
Keywords: adt1.0.0adt1.0.0-
Whiteboard: [adt2] [multi-profile] → [adt2 RTM] [multi-profile]
> an someone explain why a turbo bug is topembed+?

The bug occurs when switching profiles. Turbo happens to make use of profile
switching but embedding apps switch profiles as well, not having anything to do
with turbo, and would be affected by this.
Huh?  Turbo doesn't switch profiles, and this bug is apparently only a problem
when they are switched while turbo is on, not when turbo is disabled.  
> Huh?  Turbo doesn't switch profiles

Read the original steps to reproduce - step 3 in particular. That's a profile
switch.
Yeah thanks, I think I have a pretty good grasp of what a profile switch is ;-),
but QuickLaunch does not initiate them, nor is there any indication in this bug
that profile switching alone (without QL enabled) causes this problem.  If that
is the case, I'd like to make it explicit so that I can remove this from the
turbo tracking bug.  If it is not the case, I don't understand how this could
ever happen in an embedding situation, since AFAIK neither turbo nor profiles
are part of the embedding interface.
  The only way mozilla ever does runtime profile switching is with QL when the
pref "browser.turbo.singleProfileOnly" is FALSE. There's no other way it's exposed.
  Profiles are part of embedding and runtime switching of them has been a
requirement for most embeddors. QL is not part of embedding. If this can be
reproduced by an embedding app (both MfcEmbed and PPEmbed support runtime
profile switching and PPEmbed uses the prefs UI from mozilla so it'd be pretty
easy to see), then it would clearly be a profile switching bug.
Well, that presents an interesting point.  We only send a session-logout
notification from quicklaunch.  Hence, I'd suspect we would still have a problem
with http not clearing its keepalive socket list with profile-switching from
other embedding apps.  Nor will PSM do its required cleanup that is triggered by
this notification. ccarlen, any thoughts on this?  Is it up to an embedding app
to send this notification when appropriate?
Thanks Conrad, that explanation makes this triage much clearer for me. I'd like
to add that runtime profile switching is a feature we've talked about adding
since at least 4.0 days, well before QL was even needed.  Perhaps when the
current crop of bugs is fixed, we'll be able to add it.
> We only send a session-logout notification from quicklaunch.

Yes, but profile switching via nsIProfile::SetCurrentProfile() sends out
notifications as well. It's not something the embedding app itself has to do. If
you look at the things which observe "session-logout" you'll see that they also
observe profile changes, in particular NSS and the HTTP handler.
SetCurrentProfile() is also what causes the network to be put in an offline
state when we switch.
Ok, so I think there's a potential ordering problem in the case where no
session-logout notification happens.  http closes its idle sockets on
profile-before-change.  NSS is shut down on profile-before-change as well.  I'm
fairly sure that we need the idle sockets to be closed first.
> http closes its idle sockets on profile-before-change

Sure about that? I thought that happened on the "profile-change-net-teardown"
(via nsIOService) which happens before a "profile-before-change" The only thing
I see http doing on a "profile-before-change" is clearing auth credentials.
It's right after that:

    else if (!nsCRT::strcmp(topic, "profile-before-change") ||
             !nsCRT::strcmp(topic, "session-logout")) {
        // clear cache of all authentication credentials.
        if (mAuthCache)
            mAuthCache->ClearAll();

        // kill mIdleConnections - these sockets could be holding onto other
resources
        // that need to be freed.
        {
          nsAutoLock lock(mConnectionLock);
          DropConnections(mIdleConnections);
        }

You're right. I couldn't believe my eyes until I realized - I was looking at the
branch when I said that

I think the kill idle connections part could be done in the
"profile-change-teardown" phase. If clearing the auth cache can be done there as
well, it would be a simple change.
*** Bug 132076 has been marked as a duplicate of this bug. ***
I think it's now clear that the patch in this bug did not cause bug 140176,
which is caused by HTTP pipelining.

Renominating.
Keywords: adt1.0.0-adt1.0.0
I take the nomination back, because 133584 did not yet land on the branch.
Keywords: adt1.0.0
Is the relnote in Comment #11 acceptable? If so please include this bug and the
relnote in Bug 133795.
I'm not sure if this release note is still needed... are we doing a turbo mode
relaunch on exit for 1.0?
No, not for mozilla1.0
Regarding fixing this on the branch, we are blocked by 145836.
Depends on: 145836
Is this fixed on the trunk?
According to Steve Morse, the new turbo mode implementation will not fix this
bug, we still need this patch on the branch.
As a follow up to comment 25, I'm marking this bug fixed, as the required NSS
changes have landed on the trunk (should have been 05/15 as mentioned in bug
133584).
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch.
Blocks: 143047
Keywords: adt1.0.1+, mozilla1.0.1
re-a=chofmann for 1.0.1   add fixed1.0.1 keyword after checking in on the branch
Keywords: mozilla1.0.1mozilla1.0.1+
Comment on attachment 79878 [details] [diff] [review]
patch to nsHttpHandler

I checked this patch in to the branch, marking patch obsolete.
Attachment #79878 - Attachment is obsolete: true
Multiple actions have been taken to fix this bug, as described in this bug and
it its dependent bugs.

In theory, we might still have problems when switching certificates.

But because,
- we currently are not aware of other leaks that might disturb profile switching
- Mozilla now uses a new turbo mode
it's reasonable to mark this bug fixed.

Marking fixed on branch, too.
Keywords: adt1.0.1+, mozilla1.0.1+fixed1.0.1
Should we be marking patches as obsolete when they get checked into the tree?  I 
thought it was just the opposite -- obsolete means that it isn't going to get 
checked into the tree, usually because it was superseded by a better patch that 
is also attached to the bug report. 
Marking verified on branch. I haven't found any problems switching profiles. 
Please open a new bug if a new problem with switching profiles and crypto is 
found.
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.1verified1.0.1
Product: PSM → Core
Version: psm2.2 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: