Closed Bug 1682863 Opened 10 months ago Closed 9 months ago

Firefox Beta version 85 stop working when I tried to install the PKCS#11 drive for an electronic certificate (tolken).


(NSS :: Libraries, defect)



(Not tracked)



(Reporter: gutofullcargo, Unassigned)



(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Steps to reproduce:

I use Mac Big Sur firmware, and when I installed the firefox the browser stopped as soon as I tried to install the PKCSS#11 drive.

Actual results:

Browser stopped

Expected results:

it should work normally in order to the user acess sites that need to use the tolken to access.

Assignee: nobody → nobody
Component: Untriaged → Libraries
Product: Firefox → NSS
Version: Firefox 85 → other

Hi, can you please try with the two builds below and let me know if either one (or both) works? To download, click the "B", then under "Artifacts" you can download the installer.

Test 1:
Test 2:

Note, you'll have to disable security.osclientcerts.autoload in about:config, then restart the browser.

Flags: needinfo?(gutofullcargo)

I can reproduce the freeze also with:
84.0.1-candidates/build1 (always at first try)
85. beta3 (always at first try)
Test 1 (much harder)

Test 2 looks like to work fine

if I copy NSS3.DLL from "Test 2" build to any other build it starts working

I'm not sure it can be easily reproduced with an USB Token instead of a separate smart card + reader, since when you unplug the token you also remove the device that the OS see as a smart card reader and this may change a lot the behavior of the underlying PKCS#11 MW.
Since the freeze is caused by a race condition, it depends mainly from the response speed of the device/PKCS#11 and there are cases where this never happens, especially if the PKCS#11 responds really fast.

Using following procedure 100% reproduces the freeze for me with various PKCS#11 MW:

1) configure PKCS#11 modules (remove osclient lib if present and add MW DLL)
2) restart Fx
3) go to https sites (twitter, fb,, and some more)
4) remove card and reload some site
5) insert card and reload some site
6) go to HTTPS client auth site:
7) start over from step 3 until freeze or HTTPS problems
  7.1) alternatively restart Firefox and start over

Usually it requires only 1 iteration with many PKCS#11 MW and never more that 5.
Normally it freeze at step 4, about 2~4 seconds after reinsert the card.

This patch reverts the nssSlot_IsTokenPresent changes made in bug 1663661
and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an
actual hg backout because the comment in lib/dev/devt.h is worth keeping.
While removing the nested locking did resolve the hang for some (most?) third-party
modules, problems remain with some slower tokens after an even further relaxation
of the locking, which defeats the purpose of addressing the races in the first place.

The crash addressed by these patches was caused by the Intermediate Preloading
Healer in Firefox, which has been disabled. We clearly have insufficient test
coverage for third-party modules, and now that osclientcerts is enabled in Fx
Nightly, any problems caused by these and similar changes is unlikely to be
reported until Fx Beta, well after NSS RTM. I think the best option at this
point is to simply revert NSS.

Closed: 9 months ago
Flags: needinfo?(gutofullcargo)
Resolution: --- → FIXED
Target Milestone: --- → 3.60
You need to log in before you can comment on or make changes to this bug.