Graham Leggett wrote:
Hi all,I am having a dilemma that I am trying to find a solution for.In the httpd webserver, if the mod_nss module is loaded, the mod_nss module will try and initialise NSS. If mod_authnz_ldap is loaded into the same server, and mod_authnz_ldap depends on the Mozilla LDAP code that supports ldaps, an attempt is made to initialise NSS again. If the mod_session_crypto module is loaded into httpd, which also depends on NSS, NSS is initialised a third time.NSS requires that a database is specified when initialised. What happens if an attempt is made to initialise NSS twice?
The 2nd NSS will silently succeed.
The 2nd attempt will succeed, but will only the 1st database requested will be opened. There are calls that will allow a second database to be opened as well. In which case All users of NSS will see all databases, which look like different tokens to NSS (just like plugging in additional smart cards).What happens if you attempt to initialise NSS using different databases? Will the second initialisation attempt fail? Will the second initialisation attempt succeed, but then leave the first module confused?
Yes, in general the use of a stand alone library that uses NSS is a new phenomena* in NSS (most NSS apps to date have been central applications.Has anyone encountered this problem with NSS and apps that are modular in nature?
Most stand alone libraries really only need the databases for trust and access to credentials (they typically don't try to modify the databases). The general idea is they should use the application's trust environment if it already has one.
Anyway this issue is one in which the NSS team believes the current state is not ideal. We have a couple of short term fixes coming, as well as some ideas for longer term solutions as well).
bob*(historically we have had the ldap SDK, but usually the ldap SDK get's installed in some application that initializes NSS a head of time, to the the library inherits the parent application's open databases. The SDK is able to initialize NSS on it's own for those applications that don't do NSS. The recent issues are when that database initializes NSS first, how does the application deal with the result).
Regards, Graham -- ------------------------------------------------------------------------ _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
