cURL / Mailing Lists / curl-library / Single Mail


[PATCH] Update NSS support

From: Rob Crittenden <>
Date: Fri, 14 Sep 2007 12:58:46 -0400

Fedora 8/rawhide has switched curl from using OpenSSL to using NSS as
the SSL engine. This illuminated some issues with the current NSS
module, notably its lack of support for file-based certificates and a
difference in the meaning of command-line arguments. This patch
addresses those.

The notable changes are:

- It looks for the NSS database first in the environment variable
SSL_DIR, then in /etc/pki/nssdb, then it initializes with no database if
neither of those exist.
- If the NSS PKCS#11 driver is available then PEM files may
be loaded, including the ca-bundle. If it is not available then only
certificates already in the NSS database are used.
- Tries to detect whether a file or nickname is being passed in so the
right thing is done
- Added a bit of code to make the output more like the OpenSSL module,
including displaying the certificate information when connecting in
verbose mode
- Improved handling of certificate errors (expired, untrusted, etc)

The PKCS#11 module is currently only available in Fedora
8/rawhide. Work will be done soon to upstream it. The NSS module will
with or without it, all that changes is the source of the certificates
and keys.


Received on 2007-09-14