diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.553638 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
--- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.553638	2010-01-25 08:58:42.358325102 -0800
+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c	2010-01-25 09:07:20.028324059 -0800
@@ -36,6 +36,7 @@
 #include "seccomon.h"
 #include "prio.h"
 #include "prprf.h"
+#include "plhash.h"
 
 /*
  * The following provides a default example for operating systems to set up
@@ -212,6 +213,25 @@ getFIPSMode(void)
 
 #define NSS_DEFAULT_FLAGS "flags=readonly"
 
+/* configuration flags according to
+ * https://developer.mozilla.org/en/PKCS11_Module_Specs
+ * As stated there the slotParams start with a slot name which is a slotID
+ * Slots 1 through 3 are reserved for the nss internal modules as follows:
+ * 1 for crypto operations slot non-fips,
+ * 2 for the key slot, and
+ * 3 for the crypto operations slot fips
+ */
+#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
+#define SLOT_FLAGS \
+	"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
+	" askpw=any timeout=30 ]"
+ 
+static const char *nssDefaultFlags =
+	ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " }  ";
+
+static const char *nssDefaultFIPSFlags =
+	ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " }  ";
+
 /*
  * This function builds the list of databases and modules to load, and sets
  * their configuration. For the sample we have a fixed set.
@@ -226,13 +246,6 @@ getFIPSMode(void)
  * the decision making process.
  *
  */
-static const char *nssDefaultFlags = "trustOrder=75 cipherOrder=100 \
-slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \
-askpw=any timeout=30 ] }  ";
-static const char *nssDefaultFIPSFlags = "trustOrder=75 cipherOrder=100 \
-slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \
-askpw=any timeout=30 ] }  ";
-
 static char **
 get_list(char *filename, char *stripped_parameters)
 {
@@ -250,11 +263,6 @@ get_list(char *filename, char *stripped_
     sysdb = getSystemDB();
     userdb = getUserDB();
 
-    if (sysdb && !strcmp(filename, sysdb))
-	    filename = NULL;
-    if (userdb && !strcmp(filename, userdb))
-	    filename = NULL;
-
     /* Don't open root's user DB */
     if (userdb != NULL && !userIsRoot()) {
 	/* return a list of databases to open. First the user Database */
@@ -276,16 +284,29 @@ get_list(char *filename, char *stripped_
 		userdb, stripped_parameters);
 	}
 
-    if (filename && !userIsRoot() && 0
-		/* This doesn't actually work. If we register
-			 both this and the sysdb (in either order)
-			 then only one of them actually shows up */) {
+#if 0
+	/* This doesn't actually work. If we register
+		both this and the sysdb (in either order)
+		then only one of them actually shows up */
+
+    /* Using a NULL filename as a Boolean flag to
+     * prevent registering both an application-defined
+     * db and the system db. rhbz #546211.
+     */
+    PORT_Assert(filename);
+    if (sysdb && PL_CompareStrings(filename, sysdb))
+	    filename = NULL;
+    else if (userdb && PL_CompareStrings(filename, userdb))
+	    filename = NULL;
+
+    if (filename && !userIsRoot()) {
 	    module_list[next++] = PR_smprintf(
 	      "library= "
 	      "module=\"NSS database\" "
 	      "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
 	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
     }
+#endif
 
     /* now the system database (always read only unless it's root) */
     if (sysdb) {