On 2010-03-16 22:04 PST, Kyle Hamilton wrote: > Your profile's certificate and trust database appears to be corrupted, > and therefore it can't check to see if the OCSP responder's > certificate is okay. > > You'll need to quit Firefox, move the current key*.db, cert*.db, and > secmod.db files out of the profile directory (to a backup location), > and then restart Firefox. After that, you'll need to reinstall the > FNMT-RCM root certificate and edit its trust bits appropriately. (If > you have added any PKCS11 modules, you will also need to re-add them.)
I don't think his DBs are necessarily corrupted. Remember that "sec_error_base_database" actually means either one of two rather benign things: a) we looked for a record in the DB and didn't find it (maybe it's just not there), or b) we tried to put a record into the DB, but the DB told us there is already a record in the DB with that record's "unique database key", implying that this record is a duplicate of one already in the DB, and so it did not let us insert the record into the DB (again). I've been able to reproduce what Rafa reported, and my DB is not corrupted. I suspect this is a case where there is a problem with the OCSP response, and NSS's ability to provide a meaningful error code for the particular problem is deficient in this case. I wish we had better diagnostic tools. As it is, diagnosis of OCSP problems requires an NSS developer to spend hours with a code debugger. I'll get to the bottom of this error, eventually, if someone doesn't fix it (i.e. change the OCSP response) first. But probably not before this weekend. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
