with a build from 20100411 head/1.8-branch I only see these hangs if security.provider.9 in java.security is uncommented. a simpler applet showing the same behaviour: http://www.gurusheaven.de/security/anonymitaets_test.shtml visiting the page with security.provider.9 commented: Looking for 0xb5f9a90c 0xb3f3cfb0 0xb5fb6bdc (document) java version "1.6.0_18" OpenJDK Runtime Environment (IcedTea6 1.8) (6b18~pre4-1ubuntu4~ppa1) OpenJDK Server VM (build 16.0-b13, mixed mode) java.lang.InterruptedException: sleep interrupted at java.lang.Thread.sleep(Native Method) at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:674) at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:649) at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270) at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82) java.lang.InterruptedException: sleep interrupted at java.lang.Thread.sleep(Native Method) at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:629) at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270) at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82) java.lang.InterruptedException: sleep interrupted at java.lang.Thread.sleep(Native Method) at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:735) at sun.applet.PluginAppletViewer.handleMessage(PluginAppletViewer.java:649) at sun.applet.PluginStreamHandler.handleMessage(PluginStreamHandler.java:270) at sun.applet.PluginMessageHandlerWorker.run(PluginMessageHandlerWorker.java:82) visiting the page with security.provider.9 uncommented: Looking for 0xb4178f4c 0xb3a58b20 0xb59fdbcc (document) java version "1.6.0_18" OpenJDK Runtime Environment (IcedTea6 1.8) (6b18~pre4-1ubuntu4~ppa1) OpenJDK Server VM (build 16.0-b13, mixed mode) java.security.ProviderException: Could not initialize NSS at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:201) at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:532) at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262) at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224) at sun.security.jca.ProviderList.getProvider(ProviderList.java:232) at sun.security.jca.ProviderList.getService(ProviderList.java:330) at sun.security.jca.GetInstance.getInstance(GetInstance.java:157) at java.security.Security.getImpl(Security.java:696) at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130) at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121) at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381) at sun.security.x509.X509Key.parse(X509Key.java:168) at sun.security.x509.CertificateX509Key.(CertificateX509Key.java:75) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705) at sun.security.x509.X509CertInfo.(X509CertInfo.java:169) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747) at sun.security.x509.X509CertImpl.(X509CertImpl.java:196) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322) at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1201) at sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:221) at sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:51) at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:247) at net.sourceforge.jnlp.security.VariableX509TrustManager.(VariableX509TrustManager.java:100) at net.sourceforge.jnlp.security.VariableX509TrustManager.getInstance(VariableX509TrustManager.java:282) at sun.applet.PluginMain.init(PluginMain.java:217) at sun.applet.PluginMain.(PluginMain.java:147) at sun.applet.PluginMain.main(PluginMain.java:116) Caused by: java.io.IOException: An incompatible version of NSS is already loaded, 3.7 or later required at sun.security.pkcs11.Secmod.isInitialized(Secmod.java:130) at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:168) ... 37 more NSS version on the system is 3.12.6. Importing an SHA384withECDSA certificate with the same configuration does work, so the NSS security provider gets recognized in this case. running the applet in appletviewer works: appletviewer -J-Djava.security.policy=polfile http://www.gurusheaven.de/security/anonymitaets_test.shtml with polfile: grant { permission java.lang.RuntimePermission "getenv.*"; };