cURL / Mailing Lists / curl-library / Single Mail


Re: issues with pre-login to pkcs11 slots when using NSS

From: Kamil Dudka <>
Date: Sun, 12 Jul 2009 22:57:24 +0200

Hi Claes,

On Sunday 12 of July 2009 22:33:40 Claes Jakobsson wrote:
> On Jul 10, 2009, at 10:10 PM, Kamil Dudka wrote:
> > Claes, could you please have a look at the attachment? It's a
> > proposal only.
> > It'll definitely need a review (as Friday evening), but it works for
> > me in all
> > three cases. Note that your original patch is included.
> The patch looks good to me. Some logging what's going would be nice
> tho such as what certificate it's going to use.

not sure if I understand. Do you mean some verbose output when the curl's
option CURLOPT_VERBOSE is set?

> Tried it with my setup where the PKCS#11 module I'm using both handles
> a soft token and a h/w token for me. Tried both with specifying
> exactly what certificate to use and also letting NSS select the right
> one and it all passes.


> Comparing NSS_GetClientAuthData with the old SelectClientCert the only
> potential problem I can see is that when using a nickname
> NSS_GetClientAuthData seems to limit this to certs registered as
> client-certs whereas PK11_FindCertByKey might return *any* cert afaik
> (purely speculative tho as my NSS-fu is not strong enough). So if your
> certs aren't registered properly in the NSS DB this might break
> backwards compat. But I think this is actually positive since it
> encourage people to setup things correctly =)

I don't worry about that as I think the NSS-powered curl is not widely used
now. It's been pretty broken in Fedora since recently. And you are in fact
the first non-Fedora user of NSS-powered curl I noticed here on the list ;-)

Received on 2009-07-12