User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 Breakpoint 1, 0x01cf8937 in nss_Init (configdir=0x2117dc8 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default", certPrefix=0x1e5da70 "", keyPrefix=0x1e5da70 "", secmodName=0x1e4fed8 "secmod.db", updateDir=0x1e5da70 "", updCertPrefix=0x1e5da70 "", updKeyPrefix=0x1e5da70 "", updateID=0x1e5da70 "", updateName=0x1e5da70 "", readOnly=0, noCertDB=0, noModDB=0, forceOpen=0, noRootInit=0, optimizeSpace=1, noSingleThreadedModules=0, allowAlreadyInitializedModules=0, dontFinalizeModules=0) at nssinit.c:432 432 { (gdb) n 433 char *moduleSpec = NULL; (gdb) n 434 char *flags = NULL; (gdb) n 435 SECStatus rv = SECFailure; (gdb) n 436 char *lconfigdir = NULL; (gdb) n 437 char *lcertPrefix = NULL; (gdb) n 438 char *lkeyPrefix = NULL; (gdb) n 439 char *lsecmodName = NULL; (gdb) n 440 char *lupdateDir = NULL; (gdb) n 441 char *lupdCertPrefix = NULL; (gdb) c Continuing. Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Breakpoint 2, 0x01cf8877 in nss_FindExternalRoot (dbpath=0x2117dc8 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default", secmodprefix=0x1e4fed8 "secmod.db") at nssinit.c:372 372 { (gdb) n 373 char *path = NULL; (gdb) n 374 char *oldpath = NULL; (gdb) n 375 PRBool hasrootcerts = PR_FALSE; (gdb) n 382 nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path); (gdb) n 383 if (oldpath) { (gdb) print oldpath $1 = 0x0 (gdb) print path $2 = 0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib" (gdb) n 387 if (path && !hasrootcerts) { (gdb) n 388 (void) SECMOD_AddNewModule("Root Certs",path, 0, 0); (gdb) s SECMOD_AddNewModule (moduleName=0x1e4fdac "Root Certs", dllPath=0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib", defaultMechanismFlags=0, cipherEnableFlags=0) at pk11util.c:626 626 return SECMOD_AddNewModuleEx(moduleName, dllPath, defaultMechanismFlags, (gdb) s SECMOD_AddNewModuleEx (moduleName=0x1e4fdac "Root Certs", dllPath=0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=0x0, nssparms=0x0) at pk11util.c:572 572 SECStatus result = SECFailure; (gdb) n 576 PR_SetErrorText(0, NULL); (gdb) n 578 module = SECMOD_CreateModule(dllPath, moduleName, modparms, nssparms); (gdb) s SECMOD_CreateModule (library=0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib", moduleName=0x1e4fdac "Root Certs", parameters=0x0, nss=0x0) at pk11pars.c:117 117 SECMODModule *mod = secmod_NewModule(); (gdb) n 120 char *nssc = (char *)nss; (gdb) n 121 if (mod == NULL) return NULL; (gdb) n 123 mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : ""); (gdb) n 124 if (library) { (gdb) n 125 mod->dllName = PORT_ArenaStrdup(mod->arena,library); (gdb) n 128 if (parameters) { (gdb) n 131 mod->internal = secmod_argHasFlag("flags","internal",nssc); (gdb) print mod->dllName $3 = 0x2b25090 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib" (gdb) n 132 mod->isFIPS = secmod_argHasFlag("flags","FIPS",nssc); (gdb) n 133 mod->isCritical = secmod_argHasFlag("flags","critical",nssc); (gdb) n 134 slotParams = secmod_argGetParamValue("slotParams",nssc); (gdb) n 135 mod->slotInfo = secmod_argParseSlotInfo(mod->arena,slotParams, (gdb) n 137 if (slotParams) PORT_Free(slotParams); (gdb) 139 mod->trustOrder = secmod_argReadLong("trustOrder",nssc, (gdb) 142 mod->cipherOrder = secmod_argReadLong("cipherOrder",nssc, (gdb) 145 mod->isModuleDB = secmod_argHasFlag("flags","moduleDB",nssc); (gdb) 146 mod->moduleDBOnly = secmod_argHasFlag("flags","moduleDBOnly",nssc); (gdb) 147 if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE; (gdb) 149 ciphers = secmod_argGetParamValue("ciphers",nssc); (gdb) 150 secmod_argSetNewCipherFlags(&mod->ssl[0],ciphers); (gdb) 151 if (ciphers) PORT_Free(ciphers); (gdb) 153 secmod_PrivateModuleCount++; (gdb) 155 return mod; (gdb) 156 } (gdb) SECMOD_AddNewModuleEx (moduleName=0x1e4fdac "Root Certs", dllPath=0x390baf0 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=0x0, nssparms=0x0) at pk11util.c:580 580 if (module == NULL) { (gdb) n 584 if (module->dllName != NULL) { (gdb) 585 if (module->dllName[0] != 0) { (gdb) 586 result = SECMOD_AddModule(module); (gdb) s SECMOD_AddModule (newModule=0x2b25010) at pk11util.c:481 481 if ((oldModule = SECMOD_FindModule(newModule->commonName)) != NULL) { (gdb) n 487 rv = SECMOD_LoadPKCS11Module(newModule); (gdb) s SECMOD_LoadPKCS11Module (mod=0x2b25010) at pk11load.c:263 263 PRLibrary *library = NULL; (gdb) n 264 CK_C_GetFunctionList entry = NULL; (gdb) 267 CK_ULONG slotCount = 0; (gdb) 269 PRBool alreadyLoaded = PR_FALSE; (gdb) 270 char *disableUnload = NULL; (gdb) 272 if (mod->loaded) return SECSuccess; (gdb) 275 if (mod->internal) { (gdb) 308 if (mod->dllName == NULL) { (gdb) 319 full_name = PORT_Strdup(mod->dllName); (gdb) 325 library = PR_LoadLibrary(full_name); (gdb) print full_name $4 = 0x390bc20 "/Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib" (gdb) s 326 mod->library = (void *)library; (gdb) n 330 PORT_Free(full_name); (gdb) 333 if (library == NULL) { (gdb) 334 return SECFailure; (gdb) print library $5 = (PRLibrary *) 0x0 (gdb) quit The program is running. Exit anyway? (y or n) y Reproducible: Always The problem is that libnssckbi.dylib is in /opt/local/lib/libnssckbi.dylib . The library being requested is /Users/jeremy/.mozilla/firefox/5a93rjgb.default/libnssckbi.dylib , if I make a symlink from MOZILLA_FIVE_HOME/libnssckbi.dylib to it, it will load. This is because it follows up the failed load with: (gdb) c Continuing. Breakpoint 1, PR_LoadLibrary (name=0x390ce40 "/opt/local/lib/firefox-x11/libnssckbi.dylib") at prlink.c:599 599 { (gdb) bt #0 PR_LoadLibrary (name=0x390ce40 "/opt/local/lib/firefox-x11/libnssckbi.dylib") at prlink.c:599 #1 0x01d6dce2 in SECMOD_LoadPKCS11Module (mod=0x2b22210) at pk11load.c:325 #2 0x01d7a83e in SECMOD_LoadModule (modulespec=0x390cf78 "name=\"Builtin Roots Module\" library=\"/opt/local/lib/firefox-x11/libnssckbi.dylib\"", parent=0x0, recurse=0) at pk11pars.c:323 #3 0x01d7a9d5 in SECMOD_LoadUserModule (modulespec=0x390cf78 "name=\"Builtin Roots Module\" library=\"/opt/local/lib/firefox-x11/libnssckbi.dylib\"", parent=0x0, recurse=0) at pk11pars.c:391 but when we do --with-system-nss, we need to look where the system nss is and load those as well

I do not see this when an internal libnssckbi.dylib is used (3.1b3, 10.5/intel/X11)

That is correct. That is because the internal libnssckbi.dylib is installed in MOZILLA_FIVE_HOME. The system-nss isn't necessarily there (as I mentioned, we use a symlink to workaround this for now).

This is a mass search for bugs which are in the Firefox General component, are UNCO, have not been changed for 500 days and have an unspecified version. Reporter, can you please update to Firefox 3.6.10 or later, create a fresh profile, http://support.mozilla.com/en-US/kb/managing+profiles, and test again. If you still see the issue, please update this bug. If the issue is gone, please set the status to RESOLVED > WORKSFORME.

yeah, still an issue.

Confirming on trunk m-c built on 10.7/x86_64

Out of curiousity, which software installs NSS in a system location on OSX?

Actually, this might rather be a PSM issue, because PSM has the code to attempt to detect the ckbi librariy.

what happens if you add the system directory (the one that contains the ckbi library) to LD_LIBRARY_PATH (or it's OSX equivalent, I don't what exactly must be used) prior to starting?

Talked on IRC. Given that it works, if you add the directory containing the lib to the library search path (DYLD_LIBRARY_PATH), then there is no bug. Given that we cannot guess where on the system the lib is installed, there must be a hint, and this is it. Resolving as invalid. As a final test, you might include multiple directories in that variable (probably separated by colon dir1:dir2:dir3), and see if that works, too.

Uhm, no. Setting DYLD_LIBRARY_PATH is bad practice. This location should be configured at runtime, and you can dlopen() the full path or link to it at build time.

Then please tell me: How does the executable learn from which directory it must load the other NSS system libraries like libnss3 ?

static const char *NameOfNSSLib = SHLIB_PREFIX"nss3."SHLIB_SUFFIX; path = PR_GetLibraryFilePathname(NameOfNSSLib, (PRFuncPtr)&NSS_Init); This is essentially how softoken finds freebl. (see mozilla/security/nss/lib/freebl/{loader,genload.c} bob

Kai: PSM can also just load "libnssckbi.dylib" and rely on the current dynamic shared library search path. Jeremy: is /opt/local/lib on the dynamic shared library search path of MacPorts users?

darwin does not use a shared library search path like linux. Each library has an id which is its path on the system at run time. At link time, the linker embeds this id in the linked executable. At load time, the loaded resolves the link using that path. dlopen() is expected to take a full path to the library being opened. It is possible to use a search path, but it is highly frowned upon and not configured by default.

I like Bob's proposal from comment 12. Someone needs to implement it.

Yes, if libnss3.dylib and libnssckbi.dylib are installed in the same directory, then I agree Bob's proposal in comment 12 is the right solution.

Bug 712759 has a patch that implements this strategy.

This should be fixed by bug 712579.