On Tue September 8 2009 04:11:50 Guenter wrote:
> I'm just trying a bit to track down the Windooze certpath prob;
> have copied the relevant parts from libcurl's nss.c into a small sample
> (see attachment), but I must be missing something ...

Of course.

1) You are trying to lock one mutex twice!

2) You don't need to lock anything at all since you run a singly-threaded app.

Please remove all the locking crap from the example. The only thing you need
to load NSS db is call of NSS_Initialize (and perhaps NSS_Shutdown to free
resources afterwards).

> first its crazy enough that the NSS cert dir delivered by my OpenSuSE
> 11.1 distro looks liek that:
> # l /etc/pki/nssdb/
> total 28
> drwxr-xr-x 2 root root 128 19. Aug 01:18 ./
> drwxr-xr-x 3 root root 72 19. Aug 01:18 ../
> -rw-r--r-- 1 root root 9216 19. Aug 01:18 cert9.db
> -rw-r--r-- 1 root root 9216 19. Aug 01:18 key4.db
> -rw-r--r-- 1 root root 412 19. Aug 01:18 pkcs11.txt
> so (lib)curl must fail since it inits with a file secmod.db which is
> clearly missing here ...

I am not sure with the file names. Are you able to access the database
with certutil?

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

If yes, we can figure out how certuil looks for the correct file names...

> my sample fails here too:
> ./nsstest3
> NSS Version 3.12.4.5
> NSS SSL_DIR /etc/pki/nssdb
> Unable to initialize NSS database: 0xFFFFE012 (-8174)
>
> now when I specify the folder which comes with my cross-compiler it gets
> hung - though this dir contains secmod.db:
> # l /usr/i686-pc-mingw32/sys-root/mingw/etc/pki/nssdb
> total 96
> drwxr-xr-x 2 root root 128 Aug 30 21:50 ./
> drwxr-xr-x 5 root root 120 Aug 28 02:51 ../
> -rw-r--r-- 1 root root 65536 Aug 27 23:31 cert8.db
> -rw-r--r-- 1 root root 16384 Aug 27 23:31 key3.db
> -rw-r--r-- 1 root root 16384 Aug 27 23:31 secmod.db
>
> SSL_DIR=/usr/i686-pc-mingw32/sys-root/mingw/etc/pki/nssdb ./nsstest3
> NSS Version 3.12.4.5
> NSS SSL_DIR /usr/i686-pc-mingw32/sys-root/mingw/etc/pki/nssdb
>
> not further tested, and late here - but maybe you have an idea, or the
> sample even works for ya?
>
> A curl build works fine with the cert dir from the crosscompiler, so
> obviously I must miss something in the sample ...
>

I think it hangs on the second PR_Lock call. You can always attach a debugger
if you are not sure.

> A curl build works fine with the cert dir from the crosscompiler, so> BTW.
do you know about an error list? Or can we convert the error into
> something verbose? And what is the usual way of printing NSS errors?
> I see that the error var is unsigned, so printing it as int is probably
> not the right way, therefore I included also the hex printout ...

The list of NSS/SSL error codes is here:
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html

Not sure if there is a generic way to print them as text. If not we can always
create constructions like switch/case/printf.

Kamil
Received on 2009-09-08