cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Correct refcount issues when using client certs in NSS

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Sat, 30 May 2009 15:27:02 +0200

On Saturday 30 of May 2009 13:15:30 Claes Jakobsson wrote:
> Looking at the code for nss.c, is there any good reason why the client
> cert should be kept around outside the SSLGetClientAuthData callback?

I am not sure if I understand it enough. I have no problem with the hunk #1
of your patch, it does the right thing anyway. But why do you want to
duplicate the certificate? There is a reference counter, so the certificate
should be available until CERT_DestroyCertificate() is called. It is called
in the Curl_nss_close() function. The problem must be elsewhere.

It would be good to get some more details about the crash - backtrace, etc.
Does it work properly with the duplicated certificate? Could you please try
to set the NSS_DEBUG_PKCS11_MODULE environment variable to the name of PKCS11
module you are using?

Kamil
Received on 2009-05-30