cURL / Mailing Lists / curl-library / Single Mail


Re: Curl, NSS, and

From: Kamil Dudka <>
Date: Wed, 18 Jan 2012 13:31:27 +0100

On Wednesday 18 January 2012 04:33:34 David Shaw wrote:
> Hi,
> When built with NSS, and if is available, curl can handle
> PEM-formatted cert files. I'd like to use the "regular" NSS cert storage
> alone, but this is difficult as if a CA bundle is available, curl will
> load it, and use it in addition to the NSS DB.
> I'm able to work around this behavior by passing NULL to CURLOPT_CAINFO so
> nothing is loaded, but this only works when I'm using libcurl. Is there
> some way to not load any PEM files when using the curl command line?

The only way I am aware of is to recompile libcurl with --without-ca-bundle,
but I agree this should be more flexible. Is this issue really specific to

> Alternately, and perhaps even better, is there a way to disable
> altogether (perhaps via the pkcs11.txt config file?) is being loaded directly by libcurl. The code dealing with is #ifdef'd by HAVE_PK11_CREATEGENERICOBJECT, but there is no
option in configure to disable this feature explicitly atm. Maybe we should
introduce a compile-time option to disable completely and give
that define a more meaningful name. If there is no objection, I will prepare
a patch for that.

List admin:
Received on 2012-01-18