$OpenBSD: patch-mozilla_security_manager_ssl_src_SSLServerCertVerification_cpp,v 1.3 2012/06/11 15:38:33 landry Exp $
--- mozilla/security/manager/ssl/src/SSLServerCertVerification.cpp.orig	Sat Apr 21 00:40:21 2012
+++ mozilla/security/manager/ssl/src/SSLServerCertVerification.cpp	Wed Apr 25 17:50:16 2012
@@ -164,23 +164,25 @@ NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
 NSSCleanupAutoPtrClass_WithParam(PRArenaPool, PORT_FreeArena, FalseParam, false)
 
+PRCallOnceType gCreateMutexCallOnce;
 // do not use a nsCOMPtr to avoid static initializer/destructor
+Mutex * gMutex = nsnull;
 nsIThreadPool * gCertVerificationThreadPool = nsnull;
+
+PRStatus createMutex()
+{
+  gMutex = new Mutex("SSLServerCertVerification mutex");
+  return PR_SUCCESS;
+}
+
 } // unnamed namespace
 
-// Called when the socket transport thread starts, to initialize the SSL cert
-// verification thread pool. By tying the thread pool startup/shutdown directly
-// to the STS thread's lifetime, we ensure that they are *always* available for
-// SSL connections and that there are no races during startup and especially
-// shutdown. (Previously, we have had multiple problems with races in PSM
-// background threads, and the race-prevention/shutdown logic used there is
-// brittle. Since this service is critical to things like downloading updates,
-// we take no chances.) Also, by doing things this way, we avoid the need for
-// locks, since gCertVerificationThreadPool is only ever accessed on the socket
-// transport thread.
 void
 InitializeSSLServerCertVerificationThreads()
 {
+  (void) PR_CallOnce(&gCreateMutexCallOnce, createMutex);
+  MutexAutoLock lock(*gMutex);
+
   // TODO: tuning, make parameters preferences
   // XXX: instantiate nsThreadPool directly, to make this more bulletproof.
   // Currently, the nsThreadPool.h header isn't exported for us to do so.
@@ -208,10 +210,19 @@ InitializeSSLServerCertVerificationThreads()
 // nsNSSShutdownPreventionLock where needed (not here) to prevent that.
 void StopSSLServerCertVerificationThreads()
 {
+  (void) PR_CallOnce(&gCreateMutexCallOnce, createMutex);
+  MutexAutoLock lock(*gMutex);
+
   if (gCertVerificationThreadPool) {
     gCertVerificationThreadPool->Shutdown();
     NS_RELEASE(gCertVerificationThreadPool);
   }
+}
+
+void ShutdownSSLServerCertVerification()
+{
+  delete gMutex;
+  gMutex = nsnull;
 }
 
 namespace {
