SunPKCS11 provider auto enabled NSS problem

Bug #580982 reported by Matej Spiller-Muys on 2010-05-15
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
openjdk-6 (Ubuntu)
Undecided
Unassigned

Bug Description

There is a problem with OpenJDK latest version inside Ubuntu 10.04. The NSS provider is now enabled by default, breaking the applications using the Firefox certificate database, since it is not possible to unload the provider once it is already loaded. Applications using JSS are also broken.

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473

Currently we are advising our end user customers to remove OpenJDK and install Sun Java as a workaround.
Alternative is to remove the provider from security.policy, but it is not possible without a root.

The reason for auto enabled NSS patch inside Icedtea was to add support for ECC algorithms (Elliptic curve cryptograph) so unit tests would pass. But it is possible add provider inside code providing such algorithms in rare case you need it. However for Keystore support there is no alternative with nss enabled patch (http://icedtea.classpath.org/hg/icedtea6/file/756cd53fa326/patches/icedtea-nss-config.patch).

Brian Kelley (brian-kelley) wrote :

This bug also affects me.

I'm also trying to access the Firefox key store from Java and cannot do that.

I don't see why it's so hard to load NSS by yourself. I think that the provider should be removed from the java provider security file since it completely breaks all Java NSS implementations that do not just want access to the Crypto features of NSS (any FIPS or keystore operations require NSS to be loaded differently than the nssDbMode = noDb included in /etc/java-6-openjdk/security/nss.cfg)

Perhaps the config file located (by default) at /etc/java-6-openjdk/security/nss.cfg could be left there and the line "security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg" could be commented out by default.

Brian Kelley (brian-kelley) wrote :

Looks like it was caused by the fix to this bug: https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/556549

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-6 (Ubuntu):
status: New → Confirmed
Štefan Baebler (stefanba) wrote :

This became more relevant since Sun/Oracle java is now much harder to install, making Ubuntu less user friendly.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers