cURL / Mailing Lists / curl-library / Single Mail


Re: issues with pre-login to pkcs11 slots when using NSS

From: Claes Jakobsson <>
Date: Fri, 10 Jul 2009 16:12:25 +0200


On Jun 29, 2009, at 10:50 PM, Daniel Stenberg wrote:
> On Fri, 12 Jun 2009, Claes Jakobsson wrote:
>> There are several advantages to this approach - a) failures are
>> limited to our cert, b) the curl nss code will be a bit simplier
>> and c) startup time will be slightly faster.
>> I'll try write a patch during the weekend.
> Any further news on this issue?

The attached patch (against CVS) disables pre-login to the tokens as
this can cause problems with PKCS#11 modules that are evil to us and
instead delegates login to PK11_FindCertByNickname by passing the
password along the socket.

I haven't tested if this still works with PEM file certs as I don't
have that on my install so I'd appreciate if Kamil could try this.

Enjoy your vacation and don't do too much coding ;)


Received on 2009-07-10