527659 - Update Mozilla-central to NSS 3.12.6

Status: RESOLVED FIXED

Description

[Kai Engert (:kaie:)]

NSS 3.12.5 will be released soon.

This bug tracks delivery of NSS 3.12.5 to the various Mozilla branches.

Comment 1

[Wan-Teh Chang]

Created attachment 411705 [details] [diff] [review]
Update NSS to NSS_HEAD_20091111 in mozilla-central

Follow the procedure at
https://developer.mozilla.org/en/Updating_NSPR_or_NSS_in_mozilla-central
to update NSS to NSS_HEAD_20091111 in mozilla-central.

NSS_HEAD_20091111 is a snapshot of the NSS trunk today.
It is a NSS 3.12.5 pre-release.

Comment 2

[Kai Engert (:kaie:)]

Comment on attachment 411705 [details] [diff] [review]
Update NSS to NSS_HEAD_20091111 in mozilla-central

r=kaie for delivering the prerelease snapshot to mozilla-central

Comment 3

[Kai Engert (:kaie:)]

I propose we do a TryServer build on trunk, prior to landing. Wan-Teh do you agree? I can start the TryServer build now.

Comment 4

[Kai Engert (:kaie:)]

TryServer build with the attached patch is running

Look at http://tinderbox.mozilla.org/showbuilds.cgi?tree=MozillaTry
and search for string nss3125pre

Comment 5

[Wan-Teh Chang]

Yes, TryServer builds are a good idea.  Thanks!

Comment 6

[Kai Engert (:kaie:)]

Comment on attachment 411705 [details] [diff] [review]
Update NSS to NSS_HEAD_20091111 in mozilla-central

r-
taking back my review, until we've identified the failures

tryserver produced failures on all platforms

for example:
http://tinderbox.mozilla.org/showlog.cgi?log=MozillaTry/1257965729.1257969224.16045.gz

Comment 7

[Wan-Teh Chang]

Kai, thanks for testing the patch.  The patch doesn't include
the new file mozilla/security/nss/lib/util/secload.c.  I used
"hg diff" to generate the patch.  Do you know how to make it
include new files?

Alternatively, you can just follow the instructions at
https://developer.mozilla.org/en/Updating_NSPR_or_NSS_in_mozilla-central
directly and submit NSS_HEAD_20091111 to the TryServer.

Comment 8

[Johnathan Nightingale [:johnath]]

(In reply to comment #7)
> Kai, thanks for testing the patch.  The patch doesn't include
> the new file mozilla/security/nss/lib/util/secload.c.  I used
> "hg diff" to generate the patch.  Do you know how to make it
> include new files?

hg add

should do the trick.

Comment 9

[Wan-Teh Chang]

Created attachment 411802 [details] [diff] [review]
Update NSS to NSS_3_12_5_BETA in mozilla-central

Jonathan: thanks.  That worked.  It turns out many files are
added and removed in NSS 3.12.5.

In this patch, I use the NSS_3_12_5_BETA tag instead.  I didn't
know it exists.

Kai, please try this patch.

Comment 10

[Kai Engert (:kaie:)]

The attached patch is identical to what I get when attachng the python-script procedure.

Unfortunately, I get a local build error:

ssl3con.c: In function 'ssl3_InitCompressionContext':
ssl3con.c:1385: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
ssl3con.c:1394: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
ssl3con.c: In function 'ssl3_CompressMACEncryptRecord':
ssl3con.c:2036: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
ssl3con.c:2038: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'
ssl3con.c: In function 'ssl3_InitCipherSpec':
ssl3con.c:8658: error: 'ssl3CipherSpec' has no member named 'MOZ_Z_compress'

Comment 11

[Kai Engert (:kaie:)]

apparently the #defines from
http://mxr.mozilla.org/mozilla-central/source/modules/zlib/src/mozzconf.h#67
are effective when compiling ssl3con.c

cipherspec member var compress gets renamed because of zlib #defines

maybe you'll need to rename the compress member

Comment 12

[Kai Engert (:kaie:)]

I tried to rename compress to compress_ in sslimpl.h and ssl3con.c

now I get the following additional errors:

/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateInit':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1303: undefined reference to `MOZ_Z_deflateInit_'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_InflateInit':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1316: undefined reference to `MOZ_Z_inflateInit_'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateCompress':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1328: undefined reference to `MOZ_Z_deflate'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateDecompress':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1351: undefined reference to `MOZ_Z_inflate'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DestroyCompressContext':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1362: undefined reference to `MOZ_Z_deflateEnd'
/home/kaie/moz/mocent/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DestroyDecompressContext':
/home/kaie/moz/mocent/mozilla/security/nss/lib/ssl/ssl3con.c:1370: undefined reference to `MOZ_Z_inflateEnd'

Comment 13

[Wan-Teh Chang]

Kai, could you edit ssl3con.c and change
  #include "zlib.h"
to
  #include <zlib.h>
?

Thanks!

Comment 14

[Kai Engert (:kaie:)]

>  change
>   #include "zlib.h"
> to
>   #include <zlib.h>

didn't help, still same error

Comment 15

[Wan-Teh Chang]

Please undo the <zlib.h> change but keep your compress_ changes.

Then, add the following to security/manager/Makefile.in:

  ifeq ($(OS_ARCH),Linux)
  DEFAULT_GMAKE_FLAGS += ZLIB_LIBS =-lmozz
  endif

Comment 16

[Wan-Teh Chang]

Created attachment 411906 [details] [diff] [review]
Disable TLS compression

This patch avoids the build problem caused by Mozilla's
zlib.h on Linux by turning off the TLS compression feature.

Comment 17

[Kai Engert (:kaie:)]

I combined all your proposal, but it still doesn't build.
I still get the errors mentioned in comment 12.

There are additional conflicting/renamed symbols, like deflateInit, inflatInit, deflate, inflate, deflateEnd, inflateEnd

Comment 18

[Kai Engert (:kaie:)]

It appears that neither comment 15 nor comment 16 has an effect in my build environment, don't understand what's wrong.

Comment 19

[Kai Engert (:kaie:)]

Created attachment 411938 [details] [diff] [review]
Incremental fix for Linux, NSS and PSM combined

Success, I made it work, there were two problems with comment 15:
- you had an incorrect space after ZLIB_LIBS
- I placed the fragment at an incorrect position in the makefile

I now have a successful Linux build using this attached patch on top of the nss snapshot.

I'll look at the other platforms next

Comment 20

[Wan-Teh Chang]

Comment on attachment 411906 [details] [diff] [review]
Disable TLS compression

Kai, sorry I wasn't clear.  This patch is the newest
proposal.  It is the only change needed for
mozilla/security/manager/Makefile.in (i.e., no need
for -lmozz).  It doesn't require any changes to
NSS_3_12_5_BETA.

We should check in this patch first, before we check
in NSS_3_12_5_BETA.

Comment 21

[Kai Engert (:kaie:)]

Comment on attachment 411906 [details] [diff] [review]
Disable TLS compression

No, this patch is not sufficient.

When I build NSS 3.12.5 beta plus this patch, ignoring all other proposals from this bug, I still get errors:

cd ssl; make -j1 libs
In file included from derive.c:45:
sslimpl.h:592: error: expected specifier-qualifier-list before 'SSL3CompressionMethod'
sslimpl.h:738: error: expected specifier-qualifier-list before 'SSL3CompressionMethod'
In file included from derive.c:45:
sslimpl.h:830: error: expected specifier-qualifier-list before 'SSL3CompressionMethod'

Next, I tried to wrap these 3 header declarations into #idef NSS_ENABLE_ZLIB, but with that compilation gives me more errors:

cd ssl; make -j1 libs
ssl3con.c:179: error: 'compression_null' undeclared here (not in a function)
ssl3con.c: In function 'ssl3_HandleServerHello':
ssl3con.c:4682: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:4682: error: 'SSL3CompressionMethod' undeclared (first use in this function)
ssl3con.c:4682: error: (Each undeclared identifier is reported only once
ssl3con.c:4682: error: for each function it appears in.)
ssl3con.c:4682: warning: statement with no effect
ssl3con.c:4682: error: expected ';' before 'temp'
ssl3con.c: In function 'ssl3_HandleClientHello':
ssl3con.c:5849: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:5850: error: 'SSL3CompressionMethod' undeclared (first use in this function)
ssl3con.c:5850: warning: statement with no effect
ssl3con.c:5850: error: expected ';' before 'compressions'
ssl3con.c: In function 'ssl3_HandleV2ClientHello':
ssl3con.c:6189: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:6189: warning: statement with no effect
ssl3con.c: In function 'ssl3_SendServerHello':
ssl3con.c:6305: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:6305: warning: passing argument 2 of 'ssl3_AppendHandshakeNumber' makes integer from pointer without a cast
ssl3con.c:3033: note: expected 'PRInt32' but argument is of type 'const uint8 *'
ssl3con.c: In function 'ssl3_HandleFinished':
ssl3con.c:7814: error: 'struct <anonymous>' has no member named 'compression'
ssl3con.c:7814: error: 'SSL3HandshakeState' has no member named 'compression'
ssl3con.c:7814: warning: statement with no effect

Comment 22

[Kai Engert (:kaie:)]

Sigh, I guess my tree had been in a broken state after the various patching attempts.

I reverted my tree and repeated your proposal, now it works for me. The next step is to attempt another TryServer build with this combination.


(Note that I did a TryServer build today, with my earlier patching attempt. It failed on all the mobile platforms. You might want to have a look at those results, in preparation of a future landing with ssl-zlib enabled.)

Comment 23

[Kai Engert (:kaie:)]

FYI:

My earlier test build (which failed on all mobile platforms) had build identifier
nss3125-fix1

The latest build attempt, which uses Wan-Teh latest proposal (3.12.5 beta plus the small psm patch) is currently building, it has build identifier:
nss3125-fix2

Comment 24

[Wan-Teh Chang]

Kai, sorry to waste you so much time.  I should have told you
that last night I spent several hours at home tweaking the NSS
and PSM makefiles in various ways, and the simple
"Disable TLS compression" patch (attachment 411906 [details] [diff] [review]) is the
solution I decided to use for NSS_3_12_5_BETA.

You need to do a "make clean" in security/manager before you
try a new solution.

The best solution is to modify the Mozilla build system so
that it either builds mozilla/modules/zlib as a shared
library (right now it's libmozz.a) or just uses the system
zlib library.  This requires changes to the NSS build
system similar to the changes required for NSS to use
the libsqlite3.so from Mozilla.  I plan to pursue these
changes later, in NSS 3.12.6.

Comment 25

[Daniel Veditz [:dveditz]]

NSS 3.12.5 turns off renegotiation entirely, which will break pretty much any site that uses client authentication. At the same time this doesn't actually protect clients from the announced attacks, which involved an attacker prepending the attack and the client not realizing it was a _re_negotiation.

3.12.5 is a great idea for servers, but is going to hurt clients worse than it helps.

3.12.6 with implementation of the proposed new protocol is what will help the client.

Comment 26

[Daniel Veditz [:dveditz]]

NSS 3.12.5 also includes new approved roots. If we want these we need to take them as part of a 3.12.4.x update

Comment 27

[Wan-Teh Chang]

Dan: good point.  I forgot about that issue.  We just
need to change PSM to set the new SSL_ENABLE_RENEGOTIATION
option to SSL_RENEGOTIATE_UNRESTRICTED.  Kai or I will
take care of this when we land NSS 3.12.5 Beta in
mozilla-central.

Comment 28

[Daniel Veditz [:dveditz]]

We're far too close to shipping Firefox 3.6 to take a new NSS without a compelling reason (and of course earlier branches are already locked down) that I do not at this point foresee approving 3.12.5 for any of the Mozilla "branches".  Fixing the TLS vulnerability will be a compelling reason to take 3.12.6 on the branches.

Comment 29

[Eddy Nigg (StartCom)]

(In reply to comment #25)
> NSS 3.12.5 turns off renegotiation entirely, which will break pretty much any
> site that uses client authentication. At the same time this doesn't actually
> protect clients from the announced attacks, which involved an attacker
> prepending the attack and the client not realizing it was a _re_negotiation.

That would be really unacceptable. For example we make use of client auth and we asserted that neither our users nor the server(s) are at risk with the current implementation. The way we implemented the applications and client auth, we believe that re-negotiation would not produce the desired effect for an attacker.

Comment 30

[Wan-Teh Chang]

Created attachment 412128 [details] [diff] [review]
Enable renegotiation

This patch re-enables renegotiation to preserve the current
NSS behavior.

There is a lot of value in testing the latest NSS release
in mozilla-central.  Turning off renegotiation by default
is not the only change in NSS 3.12.5.  I'd like to have
the other changes tested in mozilla-central as soon as
possible.  I am not interested in pushing NSS 3.12.5 to
the Mozilla stable release branches.

Comment 31

[Nelson Bolyard (seldom reads bugmail)]

Wan-Teh, now that MoCo has a representative attending most of the weekly 
Thursday NSS conference calls, I think you should attend them too.  
Today's call was mostly about this very subject.  I think you are proposing
a course of action that may not be aligned with Mozilla's interests, as I 
heard them expressed today.  But that's between you and Mozilla.

Comment 32

[Wan-Teh Chang]

Upgrading to NSS 3.12.5 with renegotiation enabled is equivalent
to staying with NSS 3.12.4 with respect to the SSL renegotiation
vulnerability, but it allows us to test the new code in NSS 3.12.5,
such as the new NSS_InitContext "multi-init" functions, on the
Mozilla trunk.

My work on this bug is not about the SSL compression code contributed
by Google.  In fact, I had to turn that off to avoid a build issue.
I just want a new NSS beta to be tested on the Mozilla trunk as
part of release QA certification.  There is no ulterior motive.

I've attached all the necessary patches.  Precious time has gone
by when we could have received Mozilla user feedback of
NSS_3_12_5_BETA and NSS_3_12_5_BETA2.

Comment 33

[Kai Engert (:kaie:)]

I'm fine with Wan-Teh's proposal to test nss 3.12.5 on mozilla-central (development trunk, only. I agree that Wan-Teh's PSM patches seem reasonable to me, if they achieve this goal.

However, I'm currently not deep enough into the renegotiation patch and consequences as the NSS developers.

So, before I r+ this patch and land it into mozilla-central, I'd like to hear a confirmation from one more NSS developer (Nelson or Bob) that doing the mozilla-central - only - testing, is acceptable.

The proposal is to - temporarily - have PSM turn on SSL renegotiation, in order to keep the client behavior of 3.12.4

Wan-Teh's plan, as I understand it, is to undo attachment 412128 [details] [diff] [review] as soon as we land NSS 3.12.6 into mozilla-central.

I believe there is agreement amongst all of us that NSS 3.12.5 must not be delivered to any stable branch.

Comment 34

[Kai Engert (:kaie:)]

Updating bug to care about 3.12.6

We deliberately skipped 3.12.5 for Firefox.

In the very near future 3.12.6 will be released, with the intent to deliver it to Firefox.

Comment 35

[Kai Engert (:kaie:)]

Comment on attachment 412128 [details] [diff] [review]
Enable renegotiation

If I understand correctly, we want Firefox to use

SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_REQUIRES_XTN);

SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, PR_FALSE);


I understand this will:
- cause NSS to advertise NSS' support for renego-ext in handshakes (actually ext or SCSV)
- continue to allow us to connect to any server (both old or upgraded) = don't block any connections
- all renegotiation requests will be reject, unless the peer uses the new renego-ext

Comment 36

[Kai Engert (:kaie:)]

Comment on attachment 411906 [details] [diff] [review]
Disable TLS compression

When building the latest snapshot of NSS, I still get the build failures related to zlib and ssl-deflate.

Using this patch I'm able to build OK, therefore:

r=kaie for landing this when upgrading to 3.12.6

Comment 37

[Kai Engert (:kaie:)]

Because the NSS update will break some environments (because of the new defaults regarding to renegotiation) I would like to propose:

Landing this update should go together with PSM changes that give users control over the behavior.

I propose to take all of this:
- patch from bug 540332 (error strings for error page)
- patch from bug 535649 (introduces 4 new prefs for fine grained control)
- patch "disable tls compression" (from this bug)

Comment 38

[Kai Engert (:kaie:)]

The TryServer build failed on Linux and Windows et. al., "undefined reference to sqlite3_prepare_v2". 

Although the symbol NSS 3.12.6 isn't the first version to use that call, so the problem appears to be elsewhere.


On mozilla-central the filename of Mozilla's own copy of the libsqlite3 library has changed. In the past (Firefox 3.6 and earlier) the filename was "sqlite3.so", the same name as used internally in NSS. In mozilla-central the name has changed to "mozsqlite3.so".

The TryServer build succeeded on Mac OSX, probably because there's a systemwide sqlite3 library installed.


If NSS has been using symbol sqlite3_prepare_v2 previously, why aren't current trunk builds failing? Maybe the tinderbox build machines are not clobber builds, but rather depend builds, and still have the old library in their binary output tree (like I did in mine).


How to fix?

The reference to -lsqlite3 is contained in file security/nss/lib/softoken/config.mk

We need a decision logic like:
   #ifndef MOZILLA_CLIENT
     -lsqlite3
   #else
     #if Mozilla version >= 1.9.3
       -lmozsqlite3
     #else
       -lsqlite3
     #endif
   #endif

Comment 39

[Kai Engert (:kaie:)]

Created attachment 425418 [details] [diff] [review]
Fix sqlite link problem, PSM portion, v1

I've filed bug 544450 for the proposed NSS changes and attached a patch.

In addition there is a PSM level patch required, which I'm attaching here.

Comment 40

[Kai Engert (:kaie:)]

The patches I've proposed to fix bug 544450 seem to work, I see success on Windows and Linux, test builds are arriving here:
https://build.mozilla.org/tryserver-builds/kaie@kuix.de-bug527659-535649-2nd/

However, there is a build breakage on the mobile Linux platform "maemo":

http://tinderbox.mozilla.org/showlog.cgi?log=MozillaTry/1265360378.1265361760.22461.gz&fulltext=1

rm -f /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/libzlib.a
ar cr /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/libzlib.a /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/adler32.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/compress.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/crc32.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/gzio.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/uncompr.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/deflate.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/trees.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/zutil.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/inflate.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/infback.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/inftrees.o /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/inffast.o
ranlib /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/libzlib.a
make -j1: *** No rule to make target /scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/example.  Stop.
make[7]: *** [/scratchbox/users/cltbld/home/cltbld/build/objdir/xulrunner/nss/zlib/example] Error 1
make[7]: Leaving directory `/scratchbox/users/cltbld/home/cltbld/build/security/nss/lib/zlib'

Comment 41

[Wan-Teh Chang]

Comment on attachment 425418 [details] [diff] [review]
Fix sqlite link problem, PSM portion, v1

This patch is wrong (or rather, incomplete).  It needs to deal
with Ted's current solution here:

> ifndef MOZ_NATIVE_SQLITE
> DEFAULT_GMAKE_FLAGS += SQLITE=$(call EXPAND_LIBNAME,mozsqlite3)
> endif

Comment 42

[Wan-Teh Chang]

(In reply to comment #40)
I couldn't figure out why "maemo" can't build the zlib test program
"example".  The necessary makefile rules are in
mozilla/security/coreconf/rules.mk.

You can work around it by adding
    DEFAULT_GMAKE_FLAGS += PROGRAMS=
to mozilla/security/manager/Makefile.in.  Please add a comment to
note that this disables building the test programs in
mozilla/security/nss/lib/zlib.

Comment 43

[Kai Engert (:kaie:)]

Wan-Teh, thanks a lot for your proposal for the maemo platform, I'll use it when landing NSS.

I take Wan-Teh's comment 42 as a patch and I give r=kaie for that.

Comment 44

[Kai Engert (:kaie:)]

Also I'll reapply the patch from bug 519550 at the time of landing.

Comment 45

[Kai Engert (:kaie:)]

http://hg.mozilla.org/mozilla-central/rev/b234c7370793

Bug 527659, Update mozilla-central to NSS 3.12.6 (beta)
== NSS portion
== r=rrelyea/wtc for upgrading mozilla-central to cvs tag NSS_3_12_6_BETA1
== This includes reapplying the (merged) patch from bug 519550 on top of NSS.
== PSM portion
== Includes the patch to disable TLS compression, r=kaie
== Include the patch to disable zlib test programs, which don't work on maemo, r=kaie

Comment 46

[Micah Gersten]

(In reply to comment #45)
> http://hg.mozilla.org/mozilla-central/rev/b234c7370793
> 
> Bug 527659, Update mozilla-central to NSS 3.12.6 (beta)
> == NSS portion
> == r=rrelyea/wtc for upgrading mozilla-central to cvs tag NSS_3_12_6_BETA1
> == This includes reapplying the (merged) patch from bug 519550 on top of NSS.
> == PSM portion
> == Includes the patch to disable TLS compression, r=kaie
> == Include the patch to disable zlib test programs, which don't work on maemo,
> r=kaie

Would you be able to update the minimum in configure.in, please, so that those of us using the system NSS can build trunk again? Thanks. :)

Comment 47

[Kai Engert (:kaie:)]

Created attachment 425783 [details] [diff] [review]
patch configure.in to require minimum nss version 3.12.5.99


(In reply to comment #46)
> 
> Would you be able to update the minimum in configure.in, please, so that those
> of us using the system NSS can build trunk again? Thanks. :)


Would you like something like this?

I'm hesitant to use 3.12.6, as that version hasn't been released yet. I propose to use 3.12.5.99, as such is sometimes being used for beta versions.

Comment 48

[Alexander Sack]

yes. i think this would do it. Thanks Kai!

Comment 49

[Wan-Teh Chang]

Comment on attachment 425783 [details] [diff] [review]
patch configure.in to require minimum nss version 3.12.5.99

r=wtc.  Alexander, are you sure this is enough?
Unless your system has a nss 3.12.5.99 package,
your Mozilla build with system NSS will still
fail when compiling code in mozilla/security/manager
that uses the new macros and functions.

Comment 50

[Micah Gersten]

(In reply to comment #49)
> (From update of attachment 425783 [details] [diff] [review])
> r=wtc.  Alexander, are you sure this is enough?
> Unless your system has a nss 3.12.5.99 package,
> your Mozilla build with system NSS will still
> fail when compiling code in mozilla/security/manager
> that uses the new macros and functions.

I bumped our system requirement all the way to 3.12.6, so it will use in source NSS for now.  This will just make it fail during configure for people using system < 3.12.5.99 so that it doesn't get any further.  My comment was in error before in that the configure requirement won't actually fix anything, just warn people there's a problem.

Comment 51

[Kai Engert (:kaie:)]

Wan-Teh:

We have a Release-Candidate Tag and I'm testing to build it locally.
Unfortunately the existing fix to security/manager/Makefile.in no longer helps, with that patch I now (again) get the following build error:

make[6]: Entering directory `/mozilla/security/nss/lib/ssl'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateInit':
/mozilla/security/nss/lib/ssl/ssl3con.c:1306: undefined reference to `MOZ_Z_deflateInit_'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_InflateInit':
/mozilla/security/nss/lib/ssl/ssl3con.c:1319: undefined reference to `MOZ_Z_inflateInit_'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateCompress':
/mozilla/security/nss/lib/ssl/ssl3con.c:1337: undefined reference to `MOZ_Z_deflate'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DeflateDecompress':
/mozilla/security/nss/lib/ssl/ssl3con.c:1366: undefined reference to `MOZ_Z_inflate'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DestroyCompressContext':
/mozilla/security/nss/lib/ssl/ssl3con.c:1378: undefined reference to `MOZ_Z_deflateEnd'
/obj-fire-debug-tests/nss/ssl/ssl3con.o: In function `ssl3_DestroyDecompressContext':
/mozilla/security/nss/lib/ssl/ssl3con.c:1386: undefined reference to `MOZ_Z_inflateEnd'

Comment 52

[Kai Engert (:kaie:)]

I propose I upgrade configure.in to require 3.12.6 at the time I land the 3.12.6 release candidate into mozilla-central.

Comment 53

[Kai Engert (:kaie:)]

After reading the diff between beta1 and rc0 I learned I simply need to use the variable NSS_ENABLE_ZLIB instead, so using 

  DEFAULT_GMAKE_FLAGS += NSS_ENABLE_ZLIB=

makes it work.

Comment 54

[Kai Engert (:kaie:)]

Created attachment 426561 [details] [diff] [review]
Disable compilation of TLS compression v2 (incremental on top of earlier patches)

Comment 55

[Kai Engert (:kaie:)]

During today's NSS conference call I reveiced
  r=rrelyea
for upgrading mozilla-central (Firefox trunk) to NSS 3.12.6.0 (RC 1)

When I do so, I'll reapply the patch from bug 519550.

Comment 56

[Micah Gersten]

(In reply to comment #52)
> I propose I upgrade configure.in to require 3.12.6 at the time I land the
> 3.12.6 release candidate into mozilla-central.

Sounds good as this seems imminent anyways.  Thanks.

Comment 57

[Kai Engert (:kaie:)]

I've started a tryserv build.
Assuming its success and with wtc's OK on the zlib-disable change, I'd land it in about 12 hours.

Comment 58

[Kai Engert (:kaie:)]

Comment on attachment 426561 [details] [diff] [review]
Disable compilation of TLS compression v2 (incremental on top of earlier patches)

As this variable has obviously changed in NSS, I've included this change in the mozilla-central landing.

NSS_3_12_6_RC0 candidate pushed for testing.

http://hg.mozilla.org/mozilla-central/rev/b384ece4feb1

Comment 59

[Wan-Teh Chang]

Comment on attachment 426561 [details] [diff] [review]
Disable compilation of TLS compression v2 (incremental on top of earlier patches)

r=wtc.  Thanks.

Comment 60

[Serge Gautherie (:sgautherie)]

Created attachment 426846 [details] [diff] [review]
(Iv1) Update comm-central too

Comment 61

[Justin Wood (:Callek)]

Comment on attachment 426846 [details] [diff] [review]
(Iv1) Update comm-central too

We don't require this NSS version for 1.9.2 builds; lets ifdef this for c-c.

Comment 62

[Serge Gautherie (:sgautherie)]

Created attachment 426874 [details] [diff] [review]
(Iv2-CC) Update comm-central too
[Checkin: Comment 63]

Iv1, with comment 61 suggestion(s):
good catch! I thought about it then forgot :-<

Comment 63

[Serge Gautherie (:sgautherie)]

Comment on attachment 426874 [details] [diff] [review]
(Iv2-CC) Update comm-central too
[Checkin: Comment 63]


http://hg.mozilla.org/comm-central/rev/da214c6780f1

Comment 64

[Simon Montagu :smontagu]

Since building after this checkin, hg claims that I have local changes to security/nss/lib/sysinit/nsssysinit, and won't let me do hg qpop or hg qpush.

Comment 65

[Kai Engert (:kaie:)]

(In reply to comment #64)
> Since building after this checkin, hg claims that I have local changes to
> security/nss/lib/sysinit/nsssysinit, and won't let me do hg qpop or hg qpush.

Thanks for your report, I've filed bug 546389.
I expect we'll remove that file from hg.

Comment 66

[Kai Engert (:kaie:)]

Created attachment 430335 [details] [diff] [review]
update to 3.12.6 final


Bob, do you agree to deliver NSS 3.12.6 RTM to Mozilla?

(not a real patch, using this to ask for r+ )

Comment 67

[Kai Engert (:kaie:)]

Created attachment 430340 [details] [diff] [review]
Adding a "patches" directory


This patch will add a new directory
  mozilla/security/patches

The purpose is to collect all patches which are currently being applied locally on top of the currently imported NSS release.

An earlier proposal was to name the directory "nss-patches". I'd personally prefer "patches". This is simply for convenience when typing into the shell, we won't get an ambiguity when typing "nss [TAB]".

Another good argument to name it "patches" (not nss-patches): The patches may apply to multiple directories, nss, coreconf, dbm, and are not restricted to directory "nss".

I've also added a readme.txt file that explains the purpose of the directory.

I've also added the single patch that we're currently applying on top of NSS, from bug 519550.

Comment 68

[Wan-Teh Chang]

Comment on attachment 430335 [details] [diff] [review]
update to 3.12.6 final

r=wtc.  We should update NSS to NSS_3_12_6_RTM in mozilla-central.
Can you update NSPR to NSPR_4_8_4_RTM at the same time?  Thanks.

Comment 69

[Wan-Teh Chang]

Comment on attachment 430340 [details] [diff] [review]
Adding a "patches" directory

Naming the directory "patches" is fine by me.

The README file should be named "README", all capital,
with no file extension.  The README file should list
all the patches in the directory, with a short
description and a link to the bug.  Thanks!

Comment 70

[Kai Engert (:kaie:)]

(In reply to comment #68)
> Can you update NSPR to NSPR_4_8_4_RTM at the same time?  Thanks.

Ok, I will.

What about stable branches 
for Firefox 3.0.x (mozilla-1.9.1)
and Firefox 3.5.x (mozilla-1.9.2) ?

Both are currently using NSPR 4.8.3.
If the update to NSS 3.12.6 requires NSPR 4.8.4, we'll have to request that in bug 545755.

Comment 71

[Kai Engert (:kaie:)]

Created attachment 430429 [details] [diff] [review]
adding directory patches v2

(In reply to comment #69)
> 
> The README file should be named "README", all capital,
> with no file extension.  The README file should list
> all the patches in the directory, with a short
> description and a link to the bug.  Thanks!

like this?

Comment 72

[Wan-Teh Chang]

Comment on attachment 430429 [details] [diff] [review]
adding directory patches v2

r=wtc.  Thanks!

Comment 73

[Kai Engert (:kaie:)]

Pushed NSS_3_12_6_RTM and NSPR_4_8_4_RTM and the patches directory.

http://hg.mozilla.org/mozilla-central/rev/d9f4a1b15192