cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: NSS, CURLOPT_CAINFO, and using the NSS CAs

From: David Shaw <dshaw_at_jabberwocky.com>
Date: Tue, 29 Jul 2014 22:01:46 -0400

On Jul 28, 2014, at 5:05 PM, Kamil Dudka <kdudka_at_redhat.com> wrote:

> On Monday, July 28, 2014 11:56:46 David Shaw wrote:
>> On Jul 28, 2014, at 10:24 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:
>>> On Thursday, July 24, 2014 17:18:25 David Shaw wrote:
>>>> Hello,
>>>>
>>>> A good while back I had some code that needed to use the NSS CAs only
>>>> (and
>>>> not the PEM ca-bundle file). I did this by symlinking libnssckbi.so into
>>>> my nssdb (so NSS would have the CA certs),
>>>
>>> I am not sure how this is supposed to work. Is it documented anywhere?
>>
>> It's mentioned here: http://curl.haxx.se/docs/sslcerts.html
>
> Thanks for the pointer! I was not aware of that. This probably stopped
> working because of the following change (which helps to prevent collisions
> on NSS initialization/shutdown with other libraries):
>
> https://github.com/bagder/curl/commit/20cb12db
>
> NSS_InitContext() internally calls nss_Init() with the noRootInit flag set,
> which is intentional I am afraid.

Ah, that clears it up, thanks! I understand why this change was made. I can add some code to handle this case now.

David

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-30