cURL / Mailing Lists / curl-library / Single Mail


Re: issues with pre-login to pkcs11 slots when using NSS

From: Claes Jakobsson <>
Date: Fri, 10 Jul 2009 18:46:19 +0200

Hi Kamil,

On Jul 10, 2009, at 6:09 PM, Kamil Dudka wrote:
> so you finally decided to not use the nss_Init_Tokens() function at
> all? Then
> you want also drop its code away? It's a static function and my
> compiler is
> complaining about that:
> lib/nss.c|588| warning: ‘nss_Init_Tokens’ defined but not used

Yes I think we should (and I want to) drop the pre-login completely.
Not only because there might be PKCS#11 modules that complains when we
try to authenticate using the wrong password like what I have, but
also because if you have many tokens then it'll be a substantial
startup time for the initial socket like when used with the curl
command line tool. The later mostly applies to hardware tokens like

NSS also provides a fairly reasonable hook, NSS_GetClientAuthData,
that just picks the best available cert or a cert by nickname that I'd
like to be able to use instead of SelectClientCert. As it's not as
predictable as SelectClientCert I propose we make it available as an
something a bit shorter =) ).

> It seems to work for me, tested with this:
> curl --silent --verbose -o /dev/null \
> --cacert $HOME/.fedora-upload-ca.cert \
> --cert $HOME/.fedora-bare.cert \
> --key $HOME/.fedora-protected_by_passwd_passwd.key \
> --pass passwd \
> ''


> Next time please use the unified patch format (diff -u) if possible.
> Your
> patch was applied fine on my slightly modified lib/nss.c, but curl
> died
> with the following message:
> * Unable to load client key: Incorrect password
> I was pretty confused for a while :-)

Sorry about that. The other VCS tools I mostly use (Daniel: hint hint)
- Git, Svn, Svk - all have sensible defaults so it slipped my mind.

If the above about dropping nss_Init_Tokens and the option are ok I'll
go ahead and fix it and provide a new patch.

Received on 2009-07-10