there is chance that other pieces of application loads PK11 module
already and does not finalize it before calling common_init_finish().
also, upon fork, PK11 module resets its entire status including `nsc_init`,
by which PK11 module tell if it is initialized or not. so the behavior
of NSS_InitContext() could be different before and after fork. that's
another reason to ignore CKR_CRYPTOKI_ALREADY_INITIALIZED error (see
NSS_GetError()).
Fixes: http://tracker.ceph.com/issues/19741
Signed-off-by: Kefu Chai <kchai@redhat.com>
memset(&init_params, 0, sizeof(init_params));
init_params.length = sizeof(init_params);
- uint32_t flags = NSS_INIT_READONLY;
+ uint32_t flags = (NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
if (cct->_conf->nss_db_path.empty()) {
flags |= (NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB);
}