This bug is a derivative of PSM bug 118833. When doing a Mozilla static build with NSS 3.4, Kai found that PSM needs two more symbols from NSS: CERT_FindCertExtension cert_DecodeGeneralName I am going to add these two symbols to nss.def for now, but we need to find out whether PSM really needs those two symbols (Javi said the code calling these two functions could be dead code copied from PSM 1), or evaluate whether it is safe to export these two symbols.

I added those two symbols to nss.def as a temporary workaround. We need to fix this the right way before NSS 3.4 RTM.

Bob told me both of these functions are okay to export. So I'm going to move these two symbols to the right place in nss.def

I will rename cert_DecodeGeneralName to CERT_DecodeGeneralName later. The cert_ prefix makes it look like an internal function.

I can reproduce the undefined reference errors in the non-static Mozilla build by using the -z defs linker option to link libpipnss.so. This confirms that libpipnss.so does reference CERT_FindCertExtension and cert_DecodeGeneralName. I looked at nsNSSIOLayer.cpp (the PSM file that references these NSS symbols) and found that CERT_MatchesScopeOfUse (the function that references these symbols) is only used by the nsNSS_SSLGetClientAuthData function, but the calls to CERT_MatchesScopeOfUse have been commented out: #if 0 /* XXX This must be re-enabled */ if (!CERT_MatchesScopeOfUse(node->cert, info->GetHostName, info->GetHostIP, info->GetHostPort)) { node = CERT_LIST_NEXT(node); continue; } #endif ... #if 0 /* XXX Fix this */ if (!CERT_MatchesScopeOfUse(node->cert, conn->hostName, conn->hostIP, conn->port)) { CERTCertListNode* removed = node; node = CERT_LIST_NEXT(removed); CERT_RemoveCertListNode(removed); } else { node = CERT_LIST_NEXT(node); } #endif Javi, Kai, do you know why these two blocks of code are commented out? Should we simply delete the CERT_MatchesScopeOfUse function? This will avoid the need to export the two NSS symbols from nss.def.

Ithought CERT_MatchesScopeOfUse was a function written by sjlee for PSM 1.x that never got placed in NSS. If it's still commented out, that's because we haven't been requested to add that feature back in. IIRC, that function was used to narrow down a list of possible certs to use during client authentication based on an extension found in the certificate of the server.

Perhaps we should move CERT_MatchesScopeOfUse and its support functions (which all have the CERT_ or cert_ prefix) to NSS?

I renamed cert_DecodeGeneralName to CERT_DecodeGeneralName. The cert_ prefix suggests an internal function.

All patches have been checked in and the NSS_CLIENT_TAG has been updated to include the fixes. Marked the bug fixed.