Index: ./mozilla/security/nss/lib/pk11wrap/pk11load.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v
retrieving revision 1.30
diff -u -p -r1.30 pk11load.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11load.c	30 Apr 2010 07:22:54 -0000	1.30
+++ ./mozilla/security/nss/lib/pk11wrap/pk11load.c	26 Jan 2011 18:11:57 -0000
@@ -178,8 +178,8 @@ secmod_handleReload(SECMODModule *oldMod
 	char *oldModuleSpec;
 
 	if (secmod_IsInternalKeySlot(newModule)) {
-	    pk11_SetInternalKeySlot(slot);
-	}
+	    pk11_FirstInternalKeySlot(slot);
+	} 
 	newID = slot->slotID;
 	PK11_FreeSlot(slot);
 	for (thisChild=children, thisID=ids; thisChild && *thisChild; 
@@ -550,6 +550,11 @@ secmod_LoadPKCS11Module(SECMODModule *mo
 	    /* look down the slot info table */
 	    PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
 	    SECMOD_SetRootCerts(mod->slots[i],mod);
+	    /* explicitly mark the internal slot as such if IsInternalKeySlot()
+	     * is set */
+	    if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) {
+		pk11_FirstInternalKeySlot(mod->slots[i]);
+	    } 
 	}
 	mod->slotCount = slotCount;
 	mod->slotInfoCount = 0;
Index: ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v
retrieving revision 1.13
diff -u -p -r1.13 pk11priv.h
--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h	27 Oct 2009 23:04:46 -0000	1.13
+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h	26 Jan 2011 18:11:47 -0000
@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
 PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
 SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
 void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
+void pk11_FirstInternalKeySlot(PK11SlotInfo *slot);
 
 /*********************************************************************
  *       Mechanism Mapping functions
Index: ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11slot.c,v
retrieving revision 1.101
diff -u -p -r1.101 pk11slot.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c	3 Apr 2010 18:27:31 -0000	1.101
+++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c	26 Jan 2011 18:11:20 -0000
@@ -1349,7 +1349,7 @@ pk11_isRootSlot(PK11SlotInfo *slot) 
  * times as tokens are removed and re-inserted.
  */
 void
-PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
+PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
 {
     SECStatus rv;
     char *tmp;
@@ -1726,6 +1726,12 @@ PK11_NeedUserInit(PK11SlotInfo *slot)
 }
 
 static PK11SlotInfo *pk11InternalKeySlot = NULL;
+
+/*
+ * Set a new default internal keyslot. If one has already been set, clear it.
+ * passing NULL falls back the NSS normally selected default internal key
+ * slot
+ */
 void
 pk11_SetInternalKeySlot(PK11SlotInfo *slot)
 {
@@ -1735,6 +1741,20 @@ pk11_SetInternalKeySlot(PK11SlotInfo *sl
    pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
 }
 
+/*
+ * Set a new default internal keyslot if the normal key slot has not already
+ * been overrided. Subsequent calls to this function will be ignored unless
+ * pk11_SetInternalKeySlot is used to clear the current default.
+ */
+void
+pk11_FirstInternalKeySlot(PK11SlotInfo *slot)
+{
+   if (pk11InternalKeySlot) {
+	return;
+   }
+   pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
+}
+
 
 /* get the internal key slot. FIPS has only one slot for both key slots and
  * default slots */
Index: ./mozilla/security/nss/lib/sysinit/nsssysinit.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v
retrieving revision 1.2
retrieving revision 1.2.2.2
diff -u -p -r1.2 -r1.2.2.2
--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c	6 Feb 2010 04:56:37 -0000	1.2
+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c	26 Jan 2011 00:52:31 -0000	1.2.2.2
@@ -221,16 +221,16 @@ getFIPSMode(void)
  * 2 for the key slot, and
  * 3 for the crypto operations slot fips
  */
-#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
+#define CIPHER_ORDER_FLAGS "cipherOrder=100"
 #define SLOT_FLAGS \
 	"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
 	" askpw=any timeout=30 ]"
  
 static const char *nssDefaultFlags =
-	ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " }  ";
+	CIPHER_ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " }  ";
 
 static const char *nssDefaultFIPSFlags =
-	ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " }  ";
+	CIPHER_ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " }  ";
 
 /*
  * This function builds the list of databases and modules to load, and sets
@@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_
 	    "library= "
 	    "module=\"NSS User database\" "
 	    "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
-        "NSS=\"%sflags=internal%s\"",
+        "NSS=\"trustOrder=75 %sflags=internal%s\"",
         userdb, stripped_parameters, nssflags,
         isFIPS ? ",FIPS" : "");
 
@@ -284,30 +284,6 @@ get_list(char *filename, char *stripped_
 		userdb, stripped_parameters);
 	}
 
-#if 0
-	/* This doesn't actually work. If we register
-		both this and the sysdb (in either order)
-		then only one of them actually shows up */
-
-    /* Using a NULL filename as a Boolean flag to
-     * prevent registering both an application-defined
-     * db and the system db. rhbz #546211.
-     */
-    PORT_Assert(filename);
-    if (sysdb && PL_CompareStrings(filename, sysdb))
-	    filename = NULL;
-    else if (userdb && PL_CompareStrings(filename, userdb))
-	    filename = NULL;
-
-    if (filename && !userIsRoot()) {
-	    module_list[next++] = PR_smprintf(
-	      "library= "
-	      "module=\"NSS database\" "
-	      "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
-	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
-    }
-#endif
-
     /* now the system database (always read only unless it's root) */
     if (sysdb) {
 	    const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
@@ -315,7 +291,7 @@ get_list(char *filename, char *stripped_
 	      "library= "
 	      "module=\"NSS system database\" "
 	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
-	      "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
+	      "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
     }
 
     /* that was the last module */
@@ -372,9 +348,9 @@ overlapstrcpy(char *target, char *src)
 
 /* determine what options the user was trying to open this database with */
 /* filename is the directory pointed to by configdir= */
-/* stripped is the rest of the paramters with configdir= stripped out */
+/* stripped is the rest of the parameters with configdir= stripped out */
 static SECStatus
-parse_paramters(char *parameters, char **filename, char **stripped)
+parse_parameters(char *parameters, char **filename, char **stripped)
 {
     char *sourcePrev;
     char *sourceCurr;
@@ -423,7 +399,7 @@ NSS_ReturnModuleSpecData(unsigned long f
     char **retString = NULL;
     SECStatus rv;
 
-    rv = parse_paramters(parameters, &filename, &stripped);
+    rv = parse_parameters(parameters, &filename, &stripped);
     if (rv != SECSuccess) {
 	/* use defaults */
 	filename = getSystemDB();