cURL / Mailing Lists / curl-library / Single Mail


Re: NSS, CURLOPT_CAINFO, and using the NSS CAs

From: Kamil Dudka <>
Date: Mon, 28 Jul 2014 23:05:07 +0200

On Monday, July 28, 2014 11:56:46 David Shaw wrote:
> On Jul 28, 2014, at 10:24 AM, Kamil Dudka <> wrote:
> > On Thursday, July 24, 2014 17:18:25 David Shaw wrote:
> >> Hello,
> >>
> >> A good while back I had some code that needed to use the NSS CAs only
> >> (and
> >> not the PEM ca-bundle file). I did this by symlinking into
> >> my nssdb (so NSS would have the CA certs),
> >
> > I am not sure how this is supposed to work. Is it documented anywhere?
> It's mentioned here:

Thanks for the pointer! I was not aware of that. This probably stopped
working because of the following change (which helps to prevent collisions
on NSS initialization/shutdown with other libraries):

NSS_InitContext() internally calls nss_Init() with the noRootInit flag set,
which is intentional I am afraid.

I would propose to just remove the outdated statement from the documentation.

> Certainly a "certutil -d /etc/pki/nssdb -L -h all" does show all the CAs
> with the symlink in place, and shows nothing without the symlink in place.
> I also tried "modutil -dbdir /etc/pki/nssdb -add ca_certs -libfile
> /usr/lib64/", which had the same result (certutil shows all
> the CAs, and removing that module makes certutil show nothing), but it
> similarly didn't work when done through curl.
> Is there an alternate way to give NSS a set of CAs without importing each
> one specifically?
> David

You can reintroduce the old behavior by initializing NSS in your application:

    NSS_Initialize("sql:/etc/pki/nssdb", "", "", "", NSS_INIT_READONLY);

        // insert the code of your example here...


List admin:
Received on 2014-07-28