Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 456189 - seamonkey/nss FIPS mode failure, update prelink and nss
Summary: seamonkey/nss FIPS mode failure, update prelink and nss
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: prelink
Version: 4.7
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: desktop-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 491661 495936
TreeView+ depends on / blocked
 
Reported: 2008-07-22 02:35 UTC by Ben Levenson
Modified: 2016-09-21 10:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 491661 (view as bug list)
Environment:
Last Closed: 2009-05-20 16:04:30 UTC


Attachments (Terms of Use)
Patch for prelink in RHEL 4 (deleted)
2008-09-10 00:19 UTC, Kai Engert (:kaie) (inactive account)
no flags Details | Diff
Patch for nss in RHEL 4 (deleted)
2008-09-10 00:19 UTC, Kai Engert (:kaie) (inactive account)
no flags Details | Diff

Description Ben Levenson 2008-07-22 02:35:19 UTC
Description of problem:
1- set default browser to seamonkey
2- upgrade seamonkey to 1.0.9-24.el4, (requires nss-3.11.99.5-3.el4)
3- start thunderbird
4- view an email with a https URL
5- click it

Actual results:
This document connot be displayed unless you install the Personal Security
Manager (PSM). Download and install PSM and try again, or contact your system
administrator

Version-Release number of selected component (if applicable):
nspr-4.7.0.99.2-2.el4
nss-3.11.99.5-3.el4
seamonkey-1.0.9-24.el4
seamonkey-chat-1.0.9-24.el4
seamonkey-devel-1.0.9-24.el4
seamonkey-dom-inspector-1.0.9-24.el4
seamonkey-js-debugger-1.0.9-24.el4
seamonkey-mail-1.0.9-24.el4
thunderbird-1.5.0.12-11.el4

Expected results:
https page should load

Additional info:
I can't reproduce this with evo28 & new seamonkey/nss packages
or with thunderbird and old seamonkey/seamonkey-nss packages

Additionally, clicking a URL in thunderbird with ff3 set as the default browser
does not open the link in ff3.

Comment 1 Ben Levenson 2008-07-22 02:36:56 UTC
just in case this isn't clear: the new seamonkey/nss packages work as expected
as long as the URL is not launched from thunderbird.

Comment 2 Matěj Cepl 2008-07-22 22:11:42 UTC
Actually, can reproduce even with seamonkey-1.0.9-20.el4

Comment 3 Kai Engert (:kaie) (inactive account) 2008-07-23 17:46:39 UTC
The last RHEL 4 seamonkey package that used an internal nspr/nss, rather than
our new system package, was version 1.0.9-16.el4

It would be interesting to test the behavior of  versions
  seamonkey-1.0.9-16.el4
and
  seamonkey-1.0.9-17.el4

If 1.0.9-16.el4 works correctly, then this regression was introduced as part of
the migration to nspr/nss system packages.


Comment 4 Kai Engert (:kaie) (inactive account) 2008-07-24 02:25:14 UTC
I can always reproduce this bug, it's not necessary to open the URL from
thunderbird. I simply open any https:// URL in seamonkey and get the error.

I think you had enabled FIPS mode in your browser profile, can you confirm?

I think in the past it was not possible to enable FIPS in RHEL 4 in the browser.
I just tried with old seamonkey-nss-1.0.9-16.el4.i386.rpm (from before our
switch to system nss), and I am unable to switch to FIPS mode, the seamonkey
error console gives me a failure message.

I think the reason why that didn't work in the past, we probably had a bug that
caused us to install .chk files that didn't match the installed .so files.

Now with our newer nss packages we make sure that we install matching files, and
enabling FIPS mode works.

But, unfortunately, we don't have a prelink protection in RHEL 4 :-/
I mean, prelink modifies the .so, the .chk file no longer matches the .so, and
FIPS mode fails.


I think:
- you enabled FIPS mode while the files matches
- cron started prelink
- mismatch and failure


Using our recent seamonkey packages, try to use
  mozilla -ProfileManager
and create a new profile (which has FIPS mode disabled by default).
Then open the https:// link using that profile, and it should work.

Enabling FIPS mode should fail, because we have the mismatch.


You can manually downgrade to the older packages, and then (again) update to our
recent packages. This will temporarily fix your profile that has FIPS enabled.

Run prelink (e.g. manually run /etc/cron.daily/prelink) and it will be broken again.


Unfortunately you can't disable FIPS mode while having mismatching files on your
system, because NSS won't start up in the FIPS mode that's recoded in file secmod.db

A workaround should be: Find your application profile directory
(~/.mozilla/default/...../) and delete file secmod.db - You'll have to
re-install/register any 3rd party crypto modules in that profile (which most
people probably don't do anyway)


Another test you can do to prove my theory (I did this already):
- downgrade to old seamonkey packages including seamonkey-nss
- again install the newer ones
(Now you have matching files, it should take a while until prelink gets started)
- try your original profile (which has FIPS enabled) and now it'll work
- it will be broken again as soon as prelink runs



Comment 5 Kai Engert (:kaie) (inactive account) 2008-07-24 02:31:44 UTC
Now you'll ask, what is the right fix to this problem?

We'd have to do something we already did in RHEL 5, which requires an update to
the "prelink" package, and another update to nss, in order to ensure that we get
updated nss files that will then be protected.

The change to prelink is minimal, at the configuration file level:
We must add 2 lines to file /etc/prelink.conf :
-b /lib{,64}/libfreebl3.so
-b /lib{,64}/libsoftokn3.so

The current version of prelink is: prelink-0.3.3-0.EL4

We must produce a prelink package with an updated version-release number, and
our updated NSS package will have to use this additional statement in the
nss.spec file:

# Only compatible with prelink when using a prelink.conf that has NSS signed
# libraries blacklisted
Conflicts: prelink <= prelink-0.3.3-0.EL4


See also bug 237350 and bug 230546


Comment 6 Kai Engert (:kaie) (inactive account) 2008-07-24 02:47:10 UTC
I can work on this, if you give me the approval flags.


Comment 7 Scott Haines 2008-07-24 17:39:40 UTC
Setting rhel‑4.7.z to '?' as its a critical bug fix.

Comment 8 Kai Engert (:kaie) (inactive account) 2008-07-24 18:19:52 UTC
Changing component to "prelink", as that is where the fix will be added (blacklist).

I'm keeping myself as bug owner, I'm happy to do this change, but I'd like to
wait for an OK from Jakub.


Comment 9 Ben Levenson 2008-07-24 18:37:19 UTC
(In reply to comment #4)
> I can always reproduce this bug, it's not necessary to open the URL from
> thunderbird. I simply open any https:// URL in seamonkey and get the error.

Interesting. I could only reproduce from thunderbird. I'll try again.
Note that my testing was done with a new profile.  I'll try again to confirm.
 
> I think you had enabled FIPS mode in your browser profile, can you confirm?

I did not change any of the default settings.

Comment 10 Kai Engert (:kaie) (inactive account) 2008-07-24 19:05:58 UTC
Raising priority, because affected users are unable to use the browser to
connect to secure web sites.


Comment 11 Kai Engert (:kaie) (inactive account) 2008-07-24 22:14:58 UTC
I had been able to reproduce Ben's problem when enabling FIPS mode.

I was never able to reproduce with FIPS mode disabled (the default).

But Ben told me he did not use FIPS mode.

This means:
- what I have described in the most recent comments might be a different issue
- I do not yet understand what causes the problem that Ben has originally reported.

Ben now gave me access to a test system, and I was able to reproduce it there.
I will have to try harder to reproduce it locally, or will have to debug on the
test system...


Comment 12 Kai Engert (:kaie) (inactive account) 2008-07-25 00:11:48 UTC
The bug I have found and described is separate from what Benl had reported
initially. Let's keep this bug for the new FIPS related issue.

Benl has filed his bug again, bug 456619, and we now understand that problem, too.


Comment 13 Kai Engert (:kaie) (inactive account) 2008-09-10 00:19:16 UTC
Created attachment 316265 [details]
Patch for prelink in RHEL 4

Comment 14 Kai Engert (:kaie) (inactive account) 2008-09-10 00:19:42 UTC
Created attachment 316266 [details]
Patch for nss in RHEL 4

Comment 24 Ludek Smid 2009-05-20 16:04:30 UTC
Fixed as bug #495936.


Note You need to log in before you can comment on or make changes to this bug.