SunPKCS11 provider auto enabled NSS problem
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openjdk-6 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
There is a problem with OpenJDK latest version inside Ubuntu 10.04. The NSS provider is now enabled by default, breaking the applications using the Firefox certificate database, since it is not possible to unload the provider once it is already loaded. Applications using JSS are also broken.
http://
Currently we are advising our end user customers to remove OpenJDK and install Sun Java as a workaround.
Alternative is to remove the provider from security.policy, but it is not possible without a root.
The reason for auto enabled NSS patch inside Icedtea was to add support for ECC algorithms (Elliptic curve cryptograph) so unit tests would pass. But it is possible add provider inside code providing such algorithms in rare case you need it. However for Keystore support there is no alternative with nss enabled patch (http://
| Brian Kelley (brian-kelley) wrote | #1 |
| Brian Kelley (brian-kelley) wrote | #2 |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in openjdk-6 (Ubuntu): | |
| status: | New → Confirmed |
| Štefan Baebler (stefanba) wrote | #4 |
This bug also affects me.
I'm also trying to access the Firefox key store from Java and cannot do that.
I don't see why it's so hard to load NSS by yourself. I think that the provider should be removed from the java provider security file since it completely breaks all Java NSS implementations that do not just want access to the Crypto features of NSS (any FIPS or keystore operations require NSS to be loaded differently than the nssDbMode = noDb included in /etc/java-
Perhaps the config file located (by default) at /etc/java-