From bbecfa740de0cb7f93ef568d1e681f88009eedcc Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 29 Jan 2011 20:40:20 +0000 Subject: [PATCH] ITS#6811, more for #6802 PKCS11 fork() handling from Rich Megginson @ Red Hat --- libraries/libldap/tls_m.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c index 8c7ecf872e..6d1c0a4ca1 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -2872,10 +2872,27 @@ static const PRIOMethods tlsm_PR_methods = { static int tlsm_init( void ) { + char *nofork = PR_GetEnv( "NSS_STRICT_NOFORK" ); + PR_Init(0, 0, 0); tlsm_layer_id = PR_GetUniqueIdentity( "OpenLDAP" ); + /* + * There are some applications that acquire a crypto context in the parent process + * and expect that crypto context to work after a fork(). This does not work + * with NSS using strict PKCS11 compliance mode. We set this environment + * variable here to tell the software encryption module/token to allow crypto + * contexts to persist across a fork(). However, if you are using some other + * module or encryption device that supports and expects full PKCS11 semantics, + * the only recourse is to rewrite the application with atfork() handlers to save + * the crypto context in the parent and restore (and SECMOD_RestartModules) the + * context in the child. + */ + if ( !nofork ) { + PR_SetEnv( "NSS_STRICT_NOFORK=DISABLED" ); + } + return 0; } -- 2.39.5