Hello, First, please apologize if I am not posting this message to the corrrect mailing list. We found a problem on firefox 3.5.3 on Windows XP when using two tokens of different brands (namely Gemalto and Oberthur) one after the other on the same card reader, which is indeed a very special setup. After inserting the token of the second type, firefox gets completely frozen. We are perfectly aware that firefox 3.5.3 is rather old, but we're a very large organization with thousands of workstation and cannot upgrade that easily. Besides, we fouond that more recent versions actually had the same problem)
We recompiled firefox3.5.3 in debug mode and got the following partial stack trace using WinDbg (attached) : We found that the problem was caused by locking the trust domain's cache in the add_cert_to_cache function in security/nss/lib/pki/tdcache.c and then again in nssTrustDomain_RemoveTokenCertsFromCache() (same source file). Unfortunately, the graph of function calls in this module is rather complex, so I did the following poor man's hack (patch attached) : We added a lock_owner field in the nssTDCertificateCacheStr structure. In add_cert_to_cache, just after the lock, we set the lock_owner to PR_getCurrentThread() just after the call to PZ_Lock() and then back to NULL just before the call to PZ_Unlock(). This allows to test in nssTrustDomain_RemoveTokenCertsFromCache if the lock is already taken by us. This patch is not clean at all because lock_owner should be set after every call PZ_Lock(), besides I am not a specialist of multi-thread programming, so I am not completely sure that there is not a huge flaw in that logic, but after this fix, our setup is working correctly. Best Regards, Luke
nss3!nssTrustDomain_RemoveTokenCertsFromCache+0x60 nss3!nssToken_NotifyCertsNotVisible+0x13 nss3!nssSlot_IsTokenPresent+0x236 nss3!nssSlot_GetToken+0xc nss3!nssTrustDomain_FindTrustForCertificate+0x63 nss3!nssTrust_GetCERTCertTrustForCert+0x22 nss3!fill_CERTCertificateFields+0x262 nss3!stan_GetCERTCertificate+0x15b nss3!STAN_GetCERTCertificate+0xe nss3!nssCertificate_GetDecoding+0x1d nss3!nssCertificate_SubjectListSort+0x1b nss3!nsslist_add_element+0x8b nss3!nssList_AddUnique+0x62 nss3!add_subject_entry+0x5b nss3!add_cert_to_cache+0x14f nss3!nssTrustDomain_AddCertsToCache+0x3f nss3!cert_createObject+0x2d nss3!nssPKIObjectCollection_AddInstanceAsObject+0x40 nss3!collector+0x17 nss3!nssToken_TraverseCertificates+0x2bb nss3!NSSTrustDomain_TraverseCertificates+0x124 nss3!CERT_GetCertNicknames+0xa9 nss3!CERT_FindUserCertsByUsage+0x44 pipnss!nsNSS_SSLGetClientAuthData+0x136 ssl3!ssl3_HandleCertificateRequest+0x3d3 ssl3!ssl3_HandleHandshakeMessage+0x473 ssl3!ssl3_HandleHandshake+0x1c8 ssl3!ssl3_HandleRecord+0x5f8 ssl3!ssl3_GatherCompleteHandshake+0xbb ssl3!ssl_GatherRecord1stHandshake+0x7b ssl3!ssl_Do1stHandshake+0x21d ssl3!ssl_SecureSend+0x1c5 ssl3!ssl_SecureWrite+0x16 ssl3!ssl_Write+0xa3 pipnss!nsSSLThread::Run+0x161 nspr4!_PR_NativeRunThread+0xdb nspr4!pr_root+0xd MSVCR80D!beginthreadex+0x221 MSVCR80D!beginthreadex+0x1c7 kernel32!GetModuleFileNameA+0x1ba
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
