Closed Bug 125557 Opened 20 years ago Closed 19 years ago

NSS3.4 causes PSM to not see multiple user certs


(NSS :: Libraries, defect, P1)


(Not tracked)



(Reporter: jmccabe, Assigned: rrelyea)



(1 file)

Since the migration to the NSS3.4 beta PSM has been unable to see/use more than
the first personal cert in the database.

Please see me for private test case.
Ever confirmed: true
This fix does a couple of things:

the original code would place the object handles on the list before we search
them, then try to iterate over the list afterwards. The problem was the
iteration was only for the residual count of the last operation. We would then
send the first 16 afterwards. The sort of convoluted logic was an attempt to
not allocate an arena for small lists (up to 16 entries).

The new code places only the complete buffers on the object list, and drops the
residual buffer through the bottom. NOTE: the first buffer is on the stack, not
in the arena. This is OK because we will free the arena before we leave the
scope of this function.

Also, the new code uses the standard n*2 growth for each overflow, meaning for
large lists you will still only make order of log2 n calls instead of n/16
calls to collect on the object IDs.
Adding Wan-Teh (note the patch).
Tested with 20020219 nightly. Works like a champ. Marking Resolved, Fixed.

Bob Rocks.
Closed: 20 years ago
Resolution: --- → FIXED
Also marking Verified due to the "exclusive" nature of the test case.

QA - Please see me if more detail is needed.
D'oh! Must reopen bug.

If the Manage Certs window is opened then everything works as expected. If the
window is not opened before accessing a site that requires client auth then only
invalid certs are found/presented.

I can demonstrate once Bob returns.
Resolution: FIXED → ---
Is this still an issue?
Priority: -- → P1
Target Milestone: --- → 2.2
Yes. And very badly so. Feel free to visit me in Bldg 23 for a demonstration.
Joe, can you please give more info about what you see and how to reproduce?

I just tried with a new profile, imported my current and 2 older company certs,
restarted the browser, and accessed aka. I correctly was shown all my certs in
the client auth dialog.

Could you please try, too, with a fresh profile? In that case your problem may
be caused by a corrupted NSS database? Just a guess.

The issue has changed behavior since Bob's fix. The current behavior is:

1) Client-Auth fails to use current certificate (sees only expired certs in
database) until Edit | Preferences | Certificates | Mange Certs window is opened
and then closed.

2) Unable to sign SMIME messages at all
change target to NSS until I can determine with Joe what is really happening.
Component: Client Library → Libraries
Product: PSM → NSS
Target Milestone: 2.2 → 3.4.1
Version: unspecified → 3.4
Here's a theory worth investigating:
Joe's older certs are issued by a differnet CA cert than the certs you can get
now from  However, I think that the nicknames for the
CA certs are the same, and it may be significant.
Note that the CA cert are not even issued by the same root.
Exporting all certs/keys, creating a new key3 and cert7 database, and importing
the p12 file make the badness go away for the browser. I am still unable to sign
(or verify signed) messages though.
Moved to NSS 3.5.
Target Milestone: 3.4.1 → 3.5
Certificate renewal made the badness with signing go away.
OK, I suspect there was some nastiness in the db files that were repaired by the
cert renewal. I'm targetting this for 3.6, since I still want to know what's
going on (and prehaps repair things without going through a cert renewal process.

Target Milestone: 3.5 → 3.6
Since the problem has gone away, and NSS 3.6 is self-repairing, I'm going to
close this was WFM
Closed: 20 years ago19 years ago
Resolution: --- → WORKSFORME
Another user (fkeeney) is having the signing problem with a fresh cert. The
problem appears to be living on (though not for me).
QA Contact: junruh → bishakhabanerjee
You need to log in before you can comment on or make changes to this bug.