Update Mozilla-central to NSS 3.12.6

RESOLVED FIXED

Status

()

defect
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

(Depends on 1 bug)

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(9 attachments, 4 obsolete attachments)

1.43 MB, patch
kaie
: review-
Details | Diff | Splinter Review
771 bytes, patch
kaie
: review+
Details | Diff | Splinter Review
922 bytes, patch
wtc
: review-
Details | Diff | Splinter Review
760 bytes, patch
wtc
: review+
Details | Diff | Splinter Review
873 bytes, patch
wtc
: review+
Details | Diff | Splinter Review
957 bytes, patch
Callek
: review+
Details | Diff | Splinter Review
51 bytes, patch
wtc
: review+
Details | Diff | Splinter Review
2.44 KB, patch
wtc
: review-
Details | Diff | Splinter Review
2.62 KB, patch
wtc
: review+
Details | Diff | Splinter Review
Assignee

Description

10 years ago
NSS 3.12.5 will be released soon.

This bug tracks delivery of NSS 3.12.5 to the various Mozilla branches.
Assignee

Updated

10 years ago
Blocks: 499716

Comment 1

10 years ago
Follow the procedure at
https://developer.mozilla.org/en/Updating_NSPR_or_NSS_in_mozilla-central
to update NSS to NSS_HEAD_20091111 in mozilla-central.

NSS_HEAD_20091111 is a snapshot of the NSS trunk today.
It is a NSS 3.12.5 pre-release.
Attachment #411705 - Flags: review?(kaie)
Assignee

Updated

10 years ago
Attachment #411705 - Flags: review?(kaie) → review+
Assignee

Comment 2

10 years ago
Comment on attachment 411705 [details] [diff] [review]
Update NSS to NSS_HEAD_20091111 in mozilla-central

r=kaie for delivering the prerelease snapshot to mozilla-central
Assignee

Comment 3

10 years ago
I propose we do a TryServer build on trunk, prior to landing. Wan-Teh do you agree? I can start the TryServer build now.
Assignee

Comment 4

10 years ago
TryServer build with the attached patch is running

Look at http://tinderbox.mozilla.org/showbuilds.cgi?tree=MozillaTry
and search for string nss3125pre

Comment 5

10 years ago
Yes, TryServer builds are a good idea.  Thanks!
Assignee

Comment 6

10 years ago
Comment on attachment 411705 [details] [diff] [review]
Update NSS to NSS_HEAD_20091111 in mozilla-central

r-
taking back my review, until we've identified the failures

tryserver produced failures on all platforms

for example:
http://tinderbox.mozilla.org/showlog.cgi?log=MozillaTry/1257965729.1257969224.16045.gz
Attachment #411705 - Flags: review+

Comment 7

10 years ago
Kai, thanks for testing the patch.  The patch doesn't include
the new file mozilla/security/nss/lib/util/secload.c.  I used
"hg diff" to generate the patch.  Do you know how to make it
include new files?

Alternatively, you can just follow the instructions at
https://developer.mozilla.org/en/Updating_NSPR_or_NSS_in_mozilla-central
directly and submit NSS_HEAD_20091111 to the TryServer.
(In reply to comment #7)
> Kai, thanks for testing the patch.  The patch doesn't include
> the new file mozilla/security/nss/lib/util/secload.c.  I used
> "hg diff" to generate the patch.  Do you know how to make it
> include new files?

hg add

should do the trick.

Comment 9

10 years ago
Jonathan: thanks.  That worked.  It turns out many files are
added and removed in NSS 3.12.5.

In this patch, I use the NSS_3_12_5_BETA tag instead.  I didn't
know it exists.

Kai, please try this patch.
Attachment #411705 - Attachment is obsolete: true
Attachment #411802 - Flags: review?(kaie)
Assignee

Comment 10

10 years ago
The attached patch is identical to what I get when attachng the python-script procedure.

Unfortunately, I get a local build error:

ssl3con.c: In function 'ssl3_InitCompressionContext':
ssl3con.c:1385: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
ssl3con.c:1394: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
ssl3con.c: In function 'ssl3_CompressMACEncryptRecord':
ssl3con.c:2036: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
ssl3con.c:2038: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
ssl3con.c: In function 'ssl3_InitCipherSpec':
ssl3con.c:8658: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
Assignee

Comment 11

10 years ago
apparently the #defines from
http://mxr.mozilla.org/mozilla-central/source/modules/zlib/src/mozzconf.h#67
are effective when compiling ssl3con.c

cipherspec member var compress gets renamed because of zlib #defines

maybe you'll need to rename the compress member
Assignee

Comment 12

10 years ago
I tried to rename compress to compress_ in sslimpl.h and ssl3con.c

now I get the following additional errors:

/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateInit':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1303: undefined reference to `MOZ_Z_deflateInit_'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_InflateInit':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1316: undefined reference to `MOZ_Z_inflateInit_'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateCompress':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1328: undefined reference to `MOZ_Z_deflate'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateDecompress':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1351: undefined reference to `MOZ_Z_inflate'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DestroyCompressContext':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1362: undefined reference to `MOZ_Z_deflateEnd'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DestroyDecompressContext':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1370: undefined reference to `MOZ_Z_inflateEnd'

Comment 13

10 years ago
Kai, could you edit ssl3con.c and change
  #include "zlib.h"
to
  #include <zlib.h>
?

Thanks!
Assignee

Comment 14

10 years ago
>  change
>   #include "zlib.h"
> to
>   #include <zlib.h>

didn't help, still same error

Comment 15

10 years ago
Please undo the <zlib.h> change but keep your compress_ changes.

Then, add the following to security/manager/Makefile.in:

  ifeq ($(OS_ARCH),Linux)
  DEFAULT_GMAKE_FLAGS += ZLIB_LIBS =-lmozz
  endif

Comment 16

10 years ago
This patch avoids the build problem caused by Mozilla's
zlib.h on Linux by turning off the TLS compression feature.
Attachment #411906 - Flags: review?(kaie)
Assignee

Comment 17

10 years ago
I combined all your proposal, but it still doesn't build.
I still get the errors mentioned in comment 12.

There are additional conflicting/renamed symbols, like deflateInit, inflatInit, deflate, inflate, deflateEnd, inflateEnd
Assignee

Comment 18

10 years ago
It appears that neither comment 15 nor comment 16 has an effect in my build environment, don't understand what's wrong.
Assignee

Comment 19

10 years ago
Success, I made it work, there were two problems with comment 15:
- you had an incorrect space after ZLIB_LIBS
- I placed the fragment at an incorrect position in the makefile

I now have a successful Linux build using this attached patch on top of the nss snapshot.

I'll look at the other platforms next
Attachment #411906 - Attachment is obsolete: true
Attachment #411906 - Flags: review?(kaie)
Assignee

Updated

10 years ago
Attachment #411802 - Flags: review?(kaie) → review-

Comment 20

10 years ago
Comment on attachment 411906 [details] [diff] [review]
Disable TLS compression

Kai, sorry I wasn't clear.  This patch is the newest
proposal.  It is the only change needed for
mozilla/security/manager/Makefile.in (i.e., no need
for -lmozz).  It doesn't require any changes to
NSS_3_12_5_BETA.

We should check in this patch first, before we check
in NSS_3_12_5_BETA.
Attachment #411906 - Attachment is obsolete: false
Attachment #411906 - Flags: review?(kaie)
Assignee

Comment 21

10 years ago
Comment on attachment 411906 [details] [diff] [review]
Disable TLS compression

No, this patch is not sufficient.

When I build NSS 3.12.5 beta plus this patch, ignoring all other proposals from this bug, I still get errors:

cd ssl; make -j1 libs
In file included from derive.c:45:
sslimpl.h:592: error: expected specifier-qualifier-list before 'SSL3CompressionMethod'
sslimpl.h:738: error: expected specifier-qualifier-list before 'SSL3CompressionMethod'
In file included from derive.c:45:
sslimpl.h:830: error: expected specifier-qualifier-list before 'SSL3CompressionMethod'

Next, I tried to wrap these 3 header declarations into #idef NSS_ENABLE_ZLIB, but with that compilation gives me more errors:

cd ssl; make -j1 libs
ssl3con.c:179: error: 'compression_null' undeclared here (not in a function)
ssl3con.c: In function 'ssl3_HandleServerHello':
ssl3con.c:4682: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:4682: error: 'SSL3CompressionMethod' undeclared (first use in this function)
ssl3con.c:4682: error: (Each undeclared identifier is reported only once
ssl3con.c:4682: error: for each function it appears in.)
ssl3con.c:4682: warning: statement with no effect
ssl3con.c:4682: error: expected ';' before 'temp'
ssl3con.c: In function 'ssl3_HandleClientHello':
ssl3con.c:5849: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:5850: error: 'SSL3CompressionMethod' undeclared (first use in this function)
ssl3con.c:5850: warning: statement with no effect
ssl3con.c:5850: error: expected ';' before 'compressions'
ssl3con.c: In function 'ssl3_HandleV2ClientHello':
ssl3con.c:6189: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:6189: warning: statement with no effect
ssl3con.c: In function 'ssl3_SendServerHello':
ssl3con.c:6305: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:6305: warning: passing argument 2 of 'ssl3_AppendHandshakeNumber' makes integer from pointer without a cast
ssl3con.c:3033: note: expected 'PRInt32' but argument is of type 'const uint8 *'
ssl3con.c: In function 'ssl3_HandleFinished':
ssl3con.c:7814: error: 'struct <anonymous>' has no member named 'compression'
ssl3con.c:7814: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:7814: warning: statement with no effect
Attachment #411906 - Flags: review?(kaie) → review-
Assignee

Comment 22

10 years ago
Sigh, I guess my tree had been in a broken state after the various patching attempts.

I reverted my tree and repeated your proposal, now it works for me. The next step is to attempt another TryServer build with this combination.


(Note that I did a TryServer build today, with my earlier patching attempt. It failed on all the mobile platforms. You might want to have a look at those results, in preparation of a future landing with ssl-zlib enabled.)
Assignee

Updated

10 years ago
Attachment #411938 - Attachment is obsolete: true
Assignee

Updated

10 years ago
Attachment #411802 - Flags: review- → review?(kaie)
Assignee

Updated

10 years ago
Attachment #411906 - Flags: review- → review?(kaie)
Assignee

Comment 23

10 years ago
FYI:

My earlier test build (which failed on all mobile platforms) had build identifier
nss3125-fix1

The latest build attempt, which uses Wan-Teh latest proposal (3.12.5 beta plus the small psm patch) is currently building, it has build identifier:
nss3125-fix2

Comment 24

10 years ago
Kai, sorry to waste you so much time.  I should have told you
that last night I spent several hours at home tweaking the NSS
and PSM makefiles in various ways, and the simple
"Disable TLS compression" patch (attachment 411906 [details] [diff] [review]) is the
solution I decided to use for NSS_3_12_5_BETA.

You need to do a "make clean" in security/manager before you
try a new solution.

The best solution is to modify the Mozilla build system so
that it either builds mozilla/modules/zlib as a shared
library (right now it's libmozz.a) or just uses the system
zlib library.  This requires changes to the NSS build
system similar to the changes required for NSS to use
the libsqlite3.so from Mozilla.  I plan to pursue these
changes later, in NSS 3.12.6.
NSS 3.12.5 turns off renegotiation entirely, which will break pretty much any site that uses client authentication. At the same time this doesn't actually protect clients from the announced attacks, which involved an attacker prepending the attack and the client not realizing it was a _re_negotiation.

3.12.5 is a great idea for servers, but is going to hurt clients worse than it helps.

3.12.6 with implementation of the proposed new protocol is what will help the client.
Summary: Update Mozilla branches to NSS 3.12.5 → Update Mozilla branches to NSS 3.12.6
NSS 3.12.5 also includes new approved roots. If we want these we need to take them as part of a 3.12.4.x update

Comment 27

10 years ago
Dan: good point.  I forgot about that issue.  We just
need to change PSM to set the new SSL_ENABLE_RENEGOTIATION
option to SSL_RENEGOTIATE_UNRESTRICTED.  Kai or I will
take care of this when we land NSS 3.12.5 Beta in
mozilla-central.
Summary: Update Mozilla branches to NSS 3.12.6 → Update Mozilla branches to NSS 3.12.5
We're far too close to shipping Firefox 3.6 to take a new NSS without a compelling reason (and of course earlier branches are already locked down) that I do not at this point foresee approving 3.12.5 for any of the Mozilla "branches".  Fixing the TLS vulnerability will be a compelling reason to take 3.12.6 on the branches.
Summary: Update Mozilla branches to NSS 3.12.5 → Update Mozilla-central to NSS 3.12.5
Assignee

Updated

10 years ago
No longer blocks: 499716
(In reply to comment #25)
> NSS 3.12.5 turns off renegotiation entirely, which will break pretty much any
> site that uses client authentication. At the same time this doesn't actually
> protect clients from the announced attacks, which involved an attacker
> prepending the attack and the client not realizing it was a _re_negotiation.

That would be really unacceptable. For example we make use of client auth and we asserted that neither our users nor the server(s) are at risk with the current implementation. The way we implemented the applications and client auth, we believe that re-negotiation would not produce the desired effect for an attacker.

Comment 30

10 years ago
Posted patch Enable renegotiation (obsolete) — Splinter Review
This patch re-enables renegotiation to preserve the current
NSS behavior.

There is a lot of value in testing the latest NSS release
in mozilla-central.  Turning off renegotiation by default
is not the only change in NSS 3.12.5.  I'd like to have
the other changes tested in mozilla-central as soon as
possible.  I am not interested in pushing NSS 3.12.5 to
the Mozilla stable release branches.
Attachment #412128 - Flags: review?(kaie)
Wan-Teh, now that MoCo has a representative attending most of the weekly 
Thursday NSS conference calls, I think you should attend them too.  
Today's call was mostly about this very subject.  I think you are proposing
a course of action that may not be aligned with Mozilla's interests, as I 
heard them expressed today.  But that's between you and Mozilla.

Comment 32

10 years ago
Upgrading to NSS 3.12.5 with renegotiation enabled is equivalent
to staying with NSS 3.12.4 with respect to the SSL renegotiation
vulnerability, but it allows us to test the new code in NSS 3.12.5,
such as the new NSS_InitContext "multi-init" functions, on the
Mozilla trunk.

My work on this bug is not about the SSL compression code contributed
by Google.  In fact, I had to turn that off to avoid a build issue.
I just want a new NSS beta to be tested on the Mozilla trunk as
part of release QA certification.  There is no ulterior motive.

I've attached all the necessary patches.  Precious time has gone
by when we could have received Mozilla user feedback of
NSS_3_12_5_BETA and NSS_3_12_5_BETA2.
Assignee

Comment 33

10 years ago
I'm fine with Wan-Teh's proposal to test nss 3.12.5 on mozilla-central (development trunk, only. I agree that Wan-Teh's PSM patches seem reasonable to me, if they achieve this goal.

However, I'm currently not deep enough into the renegotiation patch and consequences as the NSS developers.

So, before I r+ this patch and land it into mozilla-central, I'd like to hear a confirmation from one more NSS developer (Nelson or Bob) that doing the mozilla-central - only - testing, is acceptable.

The proposal is to - temporarily - have PSM turn on SSL renegotiation, in order to keep the client behavior of 3.12.4

Wan-Teh's plan, as I understand it, is to undo attachment 412128 [details] [diff] [review] as soon as we land NSS 3.12.6 into mozilla-central.

I believe there is agreement amongst all of us that NSS 3.12.5 must not be delivered to any stable branch.
Assignee

Comment 34

10 years ago
Updating bug to care about 3.12.6

We deliberately skipped 3.12.5 for Firefox.

In the very near future 3.12.6 will be released, with the intent to deliver it to Firefox.
Blocks: 535649
Summary: Update Mozilla-central to NSS 3.12.5 → Update Mozilla-central to NSS 3.12.6
Assignee

Comment 35

10 years ago
Comment on attachment 412128 [details] [diff] [review]
Enable renegotiation

If I understand correctly, we want Firefox to use

SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_REQUIRES_XTN);

SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, PR_FALSE);


I understand this will:
- cause NSS to advertise NSS' support for renego-ext in handshakes (actually ext or SCSV)
- continue to allow us to connect to any server (both old or upgraded) = don't block any connections
- all renegotiation requests will be reject, unless the peer uses the new renego-ext
Attachment #412128 - Flags: review?(kaie) → review-
Assignee

Comment 36

10 years ago
Comment on attachment 411906 [details] [diff] [review]
Disable TLS compression

When building the latest snapshot of NSS, I still get the build failures related to zlib and ssl-deflate.

Using this patch I'm able to build OK, therefore:

r=kaie for landing this when upgrading to 3.12.6
Attachment #411906 - Flags: review?(kaie) → review+
Assignee

Updated

10 years ago
Attachment #411802 - Flags: review?(kaie) → review-
Assignee

Updated

10 years ago
Depends on: 537356
Assignee

Updated

10 years ago
Depends on: 540304

Updated

10 years ago
Depends on: 360421

Updated

10 years ago
Depends on: 536485, 535931

Updated

10 years ago
Depends on: 540535

Updated

10 years ago
Depends on: 542538

Updated

10 years ago
No longer depends on: 540535
Assignee

Updated

10 years ago
Attachment #412128 - Attachment is obsolete: true
Assignee

Comment 37

10 years ago
Because the NSS update will break some environments (because of the new defaults regarding to renegotiation) I would like to propose:

Landing this update should go together with PSM changes that give users control over the behavior.

I propose to take all of this:
- patch from bug 540332 (error strings for error page)
- patch from bug 535649 (introduces 4 new prefs for fine grained control)
- patch "disable tls compression" (from this bug)
Assignee

Comment 38

10 years ago
The TryServer build failed on Linux and Windows et. al., "undefined reference to sqlite3_prepare_v2". 

Although the symbol NSS 3.12.6 isn't the first version to use that call, so the problem appears to be elsewhere.


On mozilla-central the filename of Mozilla's own copy of the libsqlite3 library has changed. In the past (Firefox 3.6 and earlier) the filename was "sqlite3.so", the same name as used internally in NSS. In mozilla-central the name has changed to "mozsqlite3.so".

The TryServer build succeeded on Mac OSX, probably because there's a systemwide sqlite3 library installed.


If NSS has been using symbol sqlite3_prepare_v2 previously, why aren't current trunk builds failing? Maybe the tinderbox build machines are not clobber builds, but rather depend builds, and still have the old library in their binary output tree (like I did in mine).


How to fix?

The reference to -lsqlite3 is contained in file security/nss/lib/softoken/config.mk

We need a decision logic like:
   #ifndef MOZILLA_CLIENT
     -lsqlite3
   #else
     #if Mozilla version >= 1.9.3
       -lmozsqlite3
     #else
       -lsqlite3
     #endif
   #endif
Assignee

Updated

10 years ago
Depends on: 544450
Assignee

Comment 39

10 years ago
I've filed bug 544450 for the proposed NSS changes and attached a patch.

In addition there is a PSM level patch required, which I'm attaching here.
Attachment #425418 - Flags: review?(rrelyea)
Assignee

Comment 40

10 years ago
The patches I've proposed to fix bug 544450 seem to work, I see success on Windows and Linux, test builds are arriving here:
https://build.mozilla.org/tryserver-builds/kaie@kuix.de-bug527659-535649-2nd/

However, there is a build breakage on the mobile Linux platform "maemo":

http://tinderbox.mozilla.org/showlog.cgi?log=MozillaTry/1265360378.1265361760.22461.gz&fulltext=1

rm -f /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/libzlib.a
ar cr /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/libzlib.a /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/adler32.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/compress.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/crc32.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/gzio.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/uncompr.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/deflate.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/trees.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/zutil.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/inflate.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/infback.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/inftrees.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/inffast.o
ranlib /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/libzlib.a
make -j1: *** No rule to make target /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/example.  Stop.
make[7]: *** [/scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/example] Error 1
make[7]: Leaving directory `/scratchbox/users/cltbld/home/cltbld/build/security/nss/lib/zlib'

Comment 41

10 years ago
Comment on attachment 425418 [details] [diff] [review]
Fix sqlite link problem, PSM portion, v1

This patch is wrong (or rather, incomplete).  It needs to deal
with Ted's current solution here:

> ifndef MOZ_NATIVE_SQLITE
> DEFAULT_GMAKE_FLAGS += SQLITE=$(call EXPAND_LIBNAME,mozsqlite3)
> endif
Attachment #425418 - Flags: review?(rrelyea) → review-

Comment 42

10 years ago
(In reply to comment #40)
I couldn't figure out why "maemo" can't build the zlib test program
"example".  The necessary makefile rules are in
mozilla/security/coreconf/rules.mk.

You can work around it by adding
    DEFAULT_GMAKE_FLAGS += PROGRAMS=
to mozilla/security/manager/Makefile.in.  Please add a comment to
note that this disables building the test programs in
mozilla/security/nss/lib/zlib.
Assignee

Comment 43

10 years ago
Wan-Teh, thanks a lot for your proposal for the maemo platform, I'll use it when landing NSS.

I take Wan-Teh's comment 42 as a patch and I give r=kaie for that.
Assignee

Comment 44

10 years ago
Also I'll reapply the patch from bug 519550 at the time of landing.
Assignee

Comment 45

10 years ago
http://hg.mozilla.org/mozilla-central/rev/b234c7370793

Bug 527659, Update mozilla-central to NSS 3.12.6 (beta)
== NSS portion
== r=rrelyea/wtc for upgrading mozilla-central to cvs tag NSS_3_12_6_BETA1
== This includes reapplying the (merged) patch from bug 519550 on top of NSS.
== PSM portion
== Includes the patch to disable TLS compression, r=kaie
== Include the patch to disable zlib test programs, which don't work on maemo, r=kaie

Comment 46

10 years ago
(In reply to comment #45)
> http://hg.mozilla.org/mozilla-central/rev/b234c7370793
> 
> Bug 527659, Update mozilla-central to NSS 3.12.6 (beta)
> == NSS portion
> == r=rrelyea/wtc for upgrading mozilla-central to cvs tag NSS_3_12_6_BETA1
> == This includes reapplying the (merged) patch from bug 519550 on top of NSS.
> == PSM portion
> == Includes the patch to disable TLS compression, r=kaie
> == Include the patch to disable zlib test programs, which don't work on maemo,
> r=kaie

Would you be able to update the minimum in configure.in, please, so that those of us using the system NSS can build trunk again? Thanks. :)
Assignee

Updated

10 years ago
Whiteboard: beta landed, waiting for final release
Assignee

Comment 47

10 years ago
(In reply to comment #46)
> 
> Would you be able to update the minimum in configure.in, please, so that those
> of us using the system NSS can build trunk again? Thanks. :)


Would you like something like this?

I'm hesitant to use 3.12.6, as that version hasn't been released yet. I propose to use 3.12.5.99, as such is sometimes being used for beta versions.

Comment 48

10 years ago
yes. i think this would do it. Thanks Kai!
Assignee

Updated

10 years ago
Attachment #425783 - Flags: review?(wtc)

Comment 49

10 years ago
Comment on attachment 425783 [details] [diff] [review]
patch configure.in to require minimum nss version 3.12.5.99

r=wtc.  Alexander, are you sure this is enough?
Unless your system has a nss 3.12.5.99 package,
your Mozilla build with system NSS will still
fail when compiling code in mozilla/security/manager
that uses the new macros and functions.
Attachment #425783 - Flags: review?(wtc) → review+

Comment 50

10 years ago
(In reply to comment #49)
> (From update of attachment 425783 [details] [diff] [review])
> r=wtc.  Alexander, are you sure this is enough?
> Unless your system has a nss 3.12.5.99 package,
> your Mozilla build with system NSS will still
> fail when compiling code in mozilla/security/manager
> that uses the new macros and functions.

I bumped our system requirement all the way to 3.12.6, so it will use in source NSS for now.  This will just make it fail during configure for people using system < 3.12.5.99 so that it doesn't get any further.  My comment was in error before in that the configure requirement won't actually fix anything, just warn people there's a problem.
Assignee

Comment 51

10 years ago
Wan-Teh:

We have a Release-Candidate Tag and I'm testing to build it locally.
Unfortunately the existing fix to security/manager/Makefile.in no longer helps, with that patch I now (again) get the following build error:

make[6]: Entering directory `/mozilla/security/nss/lib/ssl'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateInit':
/mozilla/security/nss/lib/ssl/ssl3con.c:1306: undefined reference to `MOZ_Z_deflateInit_'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_InflateInit':
/mozilla/security/nss/lib/ssl/ssl3con.c:1319: undefined reference to `MOZ_Z_inflateInit_'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateCompress':
/mozilla/security/nss/lib/ssl/ssl3con.c:1337: undefined reference to `MOZ_Z_deflate'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateDecompress':
/mozilla/security/nss/lib/ssl/ssl3con.c:1366: undefined reference to `MOZ_Z_inflate'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DestroyCompressContext':
/mozilla/security/nss/lib/ssl/ssl3con.c:1378: undefined reference to `MOZ_Z_deflateEnd'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DestroyDecompressContext':
/mozilla/security/nss/lib/ssl/ssl3con.c:1386: undefined reference to `MOZ_Z_inflateEnd'
Assignee

Comment 52

10 years ago
I propose I upgrade configure.in to require 3.12.6 at the time I land the 3.12.6 release candidate into mozilla-central.
Assignee

Comment 53

10 years ago
After reading the diff between beta1 and rc0 I learned I simply need to use the variable NSS_ENABLE_ZLIB instead, so using 

  DEFAULT_GMAKE_FLAGS += NSS_ENABLE_ZLIB=

makes it work.
Assignee

Comment 55

10 years ago
During today's NSS conference call I reveiced
  r=rrelyea
for upgrading mozilla-central (Firefox trunk) to NSS 3.12.6.0 (RC 1)

When I do so, I'll reapply the patch from bug 519550.
Assignee

Updated

10 years ago
Attachment #426561 - Attachment description: Disable compilation of TLS compression v2 → Disable compilation of TLS compression v2 (incremental on top of earlier patches)
Assignee

Updated

10 years ago
Attachment #411906 - Attachment is obsolete: false

Comment 56

10 years ago
(In reply to comment #52)
> I propose I upgrade configure.in to require 3.12.6 at the time I land the
> 3.12.6 release candidate into mozilla-central.

Sounds good as this seems imminent anyways.  Thanks.
Assignee

Comment 57

10 years ago
I've started a tryserv build.
Assuming its success and with wtc's OK on the zlib-disable change, I'd land it in about 12 hours.
Assignee

Comment 58

10 years ago
Comment on attachment 426561 [details] [diff] [review]
Disable compilation of TLS compression v2 (incremental on top of earlier patches)

As this variable has obviously changed in NSS, I've included this change in the mozilla-central landing.

NSS_3_12_6_RC0 candidate pushed for testing.

http://hg.mozilla.org/mozilla-central/rev/b384ece4feb1
Attachment #426561 - Flags: review?(wtc)

Comment 59

10 years ago
Comment on attachment 426561 [details] [diff] [review]
Disable compilation of TLS compression v2 (incremental on top of earlier patches)

r=wtc.  Thanks.
Attachment #426561 - Flags: review+
Posted patch (Iv1) Update comm-central too (obsolete) — Splinter Review
Attachment #426846 - Flags: review?(bugspam.Callek)
Status: NEW → ASSIGNED
Comment on attachment 426846 [details] [diff] [review]
(Iv1) Update comm-central too

We don't require this NSS version for 1.9.2 builds; lets ifdef this for c-c.
Attachment #426846 - Flags: review?(bugspam.Callek) → review-
Iv1, with comment 61 suggestion(s):
good catch! I thought about it then forgot :-<
Attachment #426846 - Attachment is obsolete: true
Attachment #426874 - Flags: review?(bugspam.Callek)
Attachment #426874 - Flags: review?(bugspam.Callek) → review+
Comment on attachment 426874 [details] [diff] [review]
(Iv2-CC) Update comm-central too
[Checkin: Comment 63]


http://hg.mozilla.org/comm-central/rev/da214c6780f1
Attachment #426874 - Attachment description: (Iv2-CC) Update comm-central too → (Iv2-CC) Update comm-central too [Checkin: Comment 63]
Since building after this checkin, hg claims that I have local changes to security/nss/lib/sysinit/nsssysinit, and won't let me do hg qpop or hg qpush.
Assignee

Comment 65

10 years ago
(In reply to comment #64)
> Since building after this checkin, hg claims that I have local changes to
> security/nss/lib/sysinit/nsssysinit, and won't let me do hg qpop or hg qpush.

Thanks for your report, I've filed bug 546389.
I expect we'll remove that file from hg.
Assignee

Updated

10 years ago
Depends on: 546389
Assignee

Updated

10 years ago
Blocks: 545755
Assignee

Updated

10 years ago
Whiteboard: beta landed, waiting for final release → release candidate landed, waiting for final release
Assignee

Comment 66

9 years ago
Bob, do you agree to deliver NSS 3.12.6 RTM to Mozilla?

(not a real patch, using this to ask for r+ )
Attachment #430335 - Flags: review?(rrelyea)
Assignee

Comment 67

9 years ago
This patch will add a new directory
  mozilla/security/patches

The purpose is to collect all patches which are currently being applied locally on top of the currently imported NSS release.

An earlier proposal was to name the directory "nss-patches". I'd personally prefer "patches". This is simply for convenience when typing into the shell, we won't get an ambiguity when typing "nss [TAB]".

Another good argument to name it "patches" (not nss-patches): The patches may apply to multiple directories, nss, coreconf, dbm, and are not restricted to directory "nss".

I've also added a readme.txt file that explains the purpose of the directory.

I've also added the single patch that we're currently applying on top of NSS, from bug 519550.
Attachment #430340 - Flags: review?(wtc)

Comment 68

9 years ago
Comment on attachment 430335 [details] [diff] [review]
update to 3.12.6 final

r=wtc.  We should update NSS to NSS_3_12_6_RTM in mozilla-central.
Can you update NSPR to NSPR_4_8_4_RTM at the same time?  Thanks.
Attachment #430335 - Flags: review+

Comment 69

9 years ago
Comment on attachment 430340 [details] [diff] [review]
Adding a "patches" directory

Naming the directory "patches" is fine by me.

The README file should be named "README", all capital,
with no file extension.  The README file should list
all the patches in the directory, with a short
description and a link to the bug.  Thanks!
Attachment #430340 - Flags: review?(wtc) → review-
Assignee

Comment 70

9 years ago
(In reply to comment #68)
> Can you update NSPR to NSPR_4_8_4_RTM at the same time?  Thanks.

Ok, I will.

What about stable branches 
for Firefox 3.0.x (mozilla-1.9.1)
and Firefox 3.5.x (mozilla-1.9.2) ?

Both are currently using NSPR 4.8.3.
If the update to NSS 3.12.6 requires NSPR 4.8.4, we'll have to request that in bug 545755.
Assignee

Comment 71

9 years ago
(In reply to comment #69)
> 
> The README file should be named "README", all capital,
> with no file extension.  The README file should list
> all the patches in the directory, with a short
> description and a link to the bug.  Thanks!

like this?
Attachment #430429 - Flags: review?(wtc)

Comment 72

9 years ago
Comment on attachment 430429 [details] [diff] [review]
adding directory patches v2

r=wtc.  Thanks!
Attachment #430429 - Flags: review?(wtc) → review+
Assignee

Updated

9 years ago
Attachment #430335 - Flags: review?(rrelyea)
Assignee

Comment 73

9 years ago
Pushed NSS_3_12_6_RTM and NSPR_4_8_4_RTM and the patches directory.

http://hg.mozilla.org/mozilla-central/rev/d9f4a1b15192
Whiteboard: release candidate landed, waiting for final release
Assignee

Updated

9 years ago
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.