[email protected] wrote: > Full_Name: Rich Megginson > Version: 2.4.23 (current CVS HEAD) > OS: RHEL6 > URL: > ftp://ftp.openldap.org/incoming/openldap-2.4.23-moznss-disable-nofork-20110127.patch > Submission from: (NULL) (76.113.111.209) > > > There are some applications that acquire a crypto context in the parent > process > and expect that crypto context to work after a fork(). This does not work > with MozNSS using strict PKCS11 compliance mode. We set the environment > variable NSS_STRICT_NOFORK=DISABLED in tlsm_init() to tell the software > encryption module/token to allow crypto contexts to persist across a fork(). > However, if you are using some other module or encryption device that supports > and expects full PKCS11 semantics, the only recourse is to modify the > application to use atfork() handlers to save the crypto context in the parent > and restore (and SECMOD_RestartModules) the context in the child.
Sounds like this is a followon to #6802. Is this really critical at this point? We really need to close the window on RE24 patches so we can actually cut a release. But if ITS#6802 is actually incomplete, I guess we should roll this in. > These patch files are derived from OpenLDAP Software. All of the > modifications to OpenLDAP Software represented in the following > patch(es) were developed by Red Hat. Red Hat has not assigned rights > and/or interest in this work to any party. I, Rich Megginson am > authorized by Red Hat, my employer, to release this work under the > following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software > (and only these modifications) into the public domain. Hence, these > modifications may be freely used and/or redistributed for any purpose > with or without attribution and/or other notice. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
