Hi Rob,
Rob Crittenden schrieb:
> If I'm reading this right it means you can't set SSL_DIR to point to a
> sql database, right? I wonder if an extra bit of code to detect that
> would be helpful.
If you mean to set 'SSL_DIR=sql:/etc/pki/nssdb' then no; previously it
was possible, but I thought it makes more sense to check for a valid dir
rather than just passing the value of SSL_DIR blindly to NSS_Initialize().

> It will also silently skip bad directories. If you have a typo in
> SSL_DIR it will default to using either the default database or try to
> initialize a NULL string.
yes, but that was before same, and I did already add an infof() to see
if what directory is finally used.

> Error reporting is pretty weak right now (my fault). Might be nice to
> improve the message to include what was passed to NSS_Initialize when it
> fails, particularly since it could be auto-generated (though the sql:
> string might be confusing for some).
agreed, but I thought we do first look at the 'sql:' prefix thing, and
test that; after we have verified that this does not harm anything we
should then in a second commit add any more informational or error
output, and add a NSS section to docu; I started on that also already,
but then stopped since my first approach was suggesting to use the env
var NSS_DEFAULT_DB_TYPE, but that was a bad idea since it affects all
other apps, and I wondered why my Thunderbird couldnt verify my
mailserver's cert :)

It was already my bad that I included the check for SSL_DIR with this
patch - I should have splitted this into two patches since it has
nothing to do with the prefixing.

Of most interest might be if the patch behaves correctly with NSS
versions < 3.12.0, so if you folks at RetHat have some older versions
would be nice if you could give it a try ...

Gün.
Received on 2009-09-15