Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1404439
Summary: | [Crash] Firefox immediately crashes after startup if crypto-policies is set to FUTURE | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christian Stadelmann <fedora> | ||||
Component: | nss | Assignee: | nss-nspr-maint <nss-nspr-maint> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 26 | CC: | dueno, emaldona, fredrik.rinnestam, fweimer, gecko-bugs-nobody, hkario, jhorak, j, kdudka, kengert, nmavrogi, paul.destefano-redhat2, pjasicek, riehecky, rrelyea, sjoerd, szidek, tmraz | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-04-24 00:02:18 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1179209 | ||||||
Attachments: |
|
Description
Christian Stadelmann
2016-12-13 21:14:35 UTC
Suggested workaround: run `update-crypto-policies --set DEFAULT` as root or from sudo. Debugging this is rather resource hungry, but with a 6 GB RAM VM and 4 CPUs it's bearable. Firefox crashes with an assertion failure, because the firefox code that inits NSS wants to run on the main thread, but here it's executed on a secondary thread, when trying to construct an SSL socket. I'm guessing the initial construction attempt on the main thread had failed (without assertion), and when the XPCom code attempts to do an on-demand construction of the missing component, it runs into the assertion. So, debugging the state of the crash is insufficient, we must find out why the initial init attempt fails. I'm looking into it... The reason for the failure is: Firefox attempts to configure the allowed SSL/TLS protocol version range from minimum TLS 1.0 to maximum TLS 1.2. That's rejected because the FUTURE crypto policy requires a minimum of TLS 1.2. Consequently, the firefox application notices the failure to initialize NSS with the desired values, the init attempt fails, and we later into the assertion failure as described in comment 2. The equivalent initial failure can be reproduced with the following command line tool: /usr/lib64/nss/unsupported-tools/tstclnt -D -b -V tls1.0:tls1.2 -h fedoraproject.org -p 443 It seems the implementation strategy for crypto policies needs some more thought. We discussed a suggested solution, which will require an upstream fix to NSS. Please refer to the upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1328318 *** Bug 1399812 has been marked as a duplicate of this bug. *** Upstream bug has a patch v1, which I tested on Firefox 26, using a local build with the patch applied. It allows Firefox to be started and load https pages, with system crypto policy set to future. nss-3.29.3-1.3.fc26 nss-softokn-3.29.3-1.0.fc26 nss-util-3.29.3-2.2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-938554ca21 nss-3.29.3-1.3.fc26 nss-softokn-3.29.3-1.0.fc26 nss-util-3.29.3-2.2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-938554ca21 nss-3.29.3-1.3.fc26, nss-softokn-3.29.3-1.0.fc26, nss-util-3.29.3-2.2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-938554ca21 nss-3.29.3-1.3.fc26, nss-softokn-3.29.3-1.0.fc26, nss-util-3.29.3-2.2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. This bug is fixed on Fedora 26. Thank you! |