Firefox Beta version 85 stop working when I tried to install the PKCS#11 drive for an electronic certificate (tolken).
(NSS :: Libraries, defect)
(Reporter: gutofullcargo, Unassigned)
Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices.
48 bytes, text/x-phabricator-request
|Details | Review|
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Steps to reproduce:
I use Mac Big Sur firmware, and when I installed the firefox the browser stopped as soon as I tried to install the PKCSS#11 drive.
it should work normally in order to the user acess sites that need to use the tolken to access.
2 years ago
Hi, can you please try with the two builds below and let me know if either one (or both) works? To download, click the "B", then under "Artifacts" you can download the installer.
Test 1: https://treeherder.mozilla.org/jobs?repo=try&revision=52d144748d15efe3a83ac3d727a92b53a3c36bad
Test 2: https://treeherder.mozilla.org/jobs?repo=try&revision=7615b9ba23088e75facd9622d8345261010e2420
Note, you'll have to disable
security.osclientcerts.autoload in about:config, then restart the browser.
2 years ago
I can reproduce the freeze also with:
84.0.1-candidates/build1 (always at first try)
85. beta3 (always at first try)
Test 1 (much harder)
Test 2 looks like to work fine
if I copy NSS3.DLL from "Test 2" build to any other build it starts working
I'm not sure it can be easily reproduced with an USB Token instead of a separate smart card + reader, since when you unplug the token you also remove the device that the OS see as a smart card reader and this may change a lot the behavior of the underlying PKCS#11 MW.
Since the freeze is caused by a race condition, it depends mainly from the response speed of the device/PKCS#11 and there are cases where this never happens, especially if the PKCS#11 responds really fast.
Using following procedure 100% reproduces the freeze for me with various PKCS#11 MW:
1) configure PKCS#11 modules (remove osclient lib if present and add MW DLL) 2) restart Fx 3) go to https sites (twitter, fb, corriere.it, repubblica.it and some more) 4) remove card and reload some site 5) insert card and reload some site 6) go to HTTPS client auth site: https://server.cryptomix.com/secure/ 7) start over from step 3 until freeze or HTTPS problems 7.1) alternatively restart Firefox and start over
Usually it requires only 1 iteration with many PKCS#11 MW and never more that 5.
Normally it freeze at step 4, about 2~4 seconds after reinsert the card.
2 years ago
This patch reverts the
nssSlot_IsTokenPresent changes made in bug 1663661
and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an
hg backout because the comment in lib/dev/devt.h is worth keeping.
While removing the nested locking did resolve the hang for some (most?) third-party
modules, problems remain with some slower tokens after an even further relaxation
of the locking, which defeats the purpose of addressing the races in the first place.
The crash addressed by these patches was caused by the Intermediate Preloading
Healer in Firefox, which has been disabled. We clearly have insufficient test
coverage for third-party modules, and now that osclientcerts is enabled in Fx
Nightly, any problems caused by these and similar changes is unlikely to be
reported until Fx Beta, well after NSS RTM. I think the best option at this
point is to simply revert NSS.
2 years ago