Look for a proper way to handle NSS_STRICT_NOFORK

[tiran]

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_environment_variables

It is an error to try to use a PKCS#11 crypto module in a process before it has been initialized in that process, even if the module was initialized in the parent process. Beginning in NSS 3.12.3, Softoken will detect this error. This environment variable controls Softoken's response to that error.

    If set to to "1" or unset, Softoken will trigger an assertion failure in debug builds, and will report an error in non-DEBUG builds.
    If set  to "DISABLED", Softoken will ignore forks, and behave as it did in older versions.
    If set to any other non-empty value, Softoken will report an error in both DEBUG and non-DEBUG builds.

Perhaps python-nss has a way to init the crypto module again?

[tiran]

I created https://fedorahosted.org/freeipa/ticket/6563 a while ago

[tiran]

FreeIPA 4.5 no longer uses NSS for TLS/SSL and key wrapping.

[tiran]

Let's keep the NSS_STRICT_NOFORK for legacy support and remove it once we remove support for FreeIPA 4.4.