On some platforms where NSS is part of the OS, and where OS libraries (such as those used by Name Service Switch, the other NSS) use NSS for SSL (e.g. for LDAP over SSL), it is possible that NSS will have been initialized in the Mozilla client process before PSM initializes it. In such cases, NSS will typically have been initialized to use some other directory of DB files than the user's Mozilla profile directory. Since NSS is already initialized, when PSM tries to initialize it, NSS reports that it is initialized, even though it is not using the directories that PSM has asked it to use. (This NSS behavior is by design.) The result is that the mozilla client is NOT using the user's profile DBs, and the user does not get behavior that he would get if his profile DBs were being used (i.e. his personal certs are gone, and CAs he has trusted are no longer trusted). So, I propose this solution (or perhaps it is a workaround): I propose that, immediately prior to initializing NSS, PSM should check to see if it is already initialized (I believe NSS offers a public function for that purpose) and if so, PSM should shut down NSS before initializing it with the user's profile DB directory.
Shutting down NSS sounds like a good idea. The only downside I can see is that some other component within the process may be actively using NSS when it is shut down (that seems fairly unlikely though).
I like Nelson's proposal. Nelson, on which branches do we need this fix? What's the Mozilla application versions that people would like to see fixed?
The original complaint named both FF2 and FF3.
This idea probably would lead to crashes. :( Imagine some code that uses NSS, and obtains pointers to objects from NSS, objects such as CERTCertificates. If that code continues to run, after NSS is shutdown and restarted, the pointers held by that code from before will be stale, and subsequent uses of them will likely crash.