Hi Kamil,

On Jul 10, 2009, at 6:09 PM, Kamil Dudka wrote:
> so you finally decided to not use the nss_Init_Tokens() function at
> all? Then
> you want also drop its code away? It's a static function and my
> compiler is
> complaining about that:
> lib/nss.c|588| warning: ‘nss_Init_Tokens’ defined but not used

Yes I think we should (and I want to) drop the pre-login completely.
Not only because there might be PKCS#11 modules that complains when we
try to authenticate using the wrong password like what I have, but
also because if you have many tokens then it'll be a substantial
startup time for the initial socket like when used with the curl
command line tool. The later mostly applies to hardware tokens like
smartcards.

NSS also provides a fairly reasonable hook, NSS_GetClientAuthData,
that just picks the best available cert or a cert by nickname that I'd
like to be able to use instead of SelectClientCert. As it's not as
predictable as SelectClientCert I propose we make it available as an
option, for example CURLOPT_NSS_USE_BUILTIN_CLIENT_CERT_HOOK ( or
something a bit shorter =) ).

> It seems to work for me, tested with this:
> curl --silent --verbose -o /dev/null \
> --cacert $HOME/.fedora-upload-ca.cert \
> --cert $HOME/.fedora-bare.cert \
> --key $HOME/.fedora-protected_by_passwd_passwd.key \
> --pass passwd \
> 'https://koji.fedoraproject.org/koji/userinfo?userID=750'

Excellent

> Next time please use the unified patch format (diff -u) if possible.
> Your
> patch was applied fine on my slightly modified lib/nss.c, but curl
> died
> with the following message:
> * Unable to load client key: Incorrect password
>
> I was pretty confused for a while :-)

Sorry about that. The other VCS tools I mostly use (Daniel: hint hint)
- Git, Svn, Svk - all have sensible defaults so it slipped my mind.

If the above about dropping nss_Init_Tokens and the option are ok I'll
go ahead and fix it and provide a new patch.

Cheers,
Claes
Received on 2009-07-10