From c6f44ed376ce720a389490ae3eab880bee48b8ff Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 20 Aug 2013 10:36:02 +0200
Subject: [PATCH] NSS: don't load keys/certs with re-used connections

... as then they are already loaded and re-used from the previous request,
---
 lib/nss.c | 55 +++++++++++++++++++++++++++++--------------------------
 1 file changed, 29 insertions(+), 26 deletions(-)

diff --git a/lib/nss.c b/lib/nss.c
index 2d4bf9e..63a4847 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -553,39 +553,42 @@ static CURLcode cert_stuff(struct connectdata *conn, int sockindex,
                            char *cert_file, char *key_file)
 {
   struct SessionHandle *data = conn->data;
-  CURLcode rv;
+  CURLcode rv = CURLE_OK;
 
-  if(cert_file) {
-    rv = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE);
-    if(CURLE_OK != rv) {
-      const PRErrorCode err = PR_GetError();
-      if(!display_error(conn, err, cert_file)) {
-        const char *err_name = nss_error_to_name(err);
-        failf(data, "unable to load client cert: %d (%s)", err, err_name);
-      }
+  if(!conn->bits.reuse) {
+    /* only load key/cert on the first use of this connection, for subsequent
+       uses of the connection the data is re-used */
 
-      return rv;
+    if(cert_file) {
+      rv = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE);
+      if(CURLE_OK != rv) {
+        const PRErrorCode err = PR_GetError();
+        if(!display_error(conn, err, cert_file)) {
+          const char *err_name = nss_error_to_name(err);
+          failf(data, "unable to load client cert: %d (%s)", err, err_name);
+        }
+        return rv;
+      }
     }
-  }
 
-  if(key_file || (is_file(cert_file))) {
-    if(key_file)
-      rv = nss_load_key(conn, sockindex, key_file);
-    else
-      /* In case the cert file also has the key */
-      rv = nss_load_key(conn, sockindex, cert_file);
-    if(CURLE_OK != rv) {
-      const PRErrorCode err = PR_GetError();
-      if(!display_error(conn, err, key_file)) {
-        const char *err_name = nss_error_to_name(err);
-        failf(data, "unable to load client key: %d (%s)", err, err_name);
+    if(key_file || (is_file(cert_file))) {
+      if(key_file)
+        rv = nss_load_key(conn, sockindex, key_file);
+      else
+        /* In case the cert file also has the key */
+        rv = nss_load_key(conn, sockindex, cert_file);
+      if(rv) {
+        const PRErrorCode err = PR_GetError();
+        if(!display_error(conn, err, key_file)) {
+          const char *err_name = nss_error_to_name(err);
+          failf(data, "unable to load client key: %d (%s)", err, err_name);
+        }
+        return rv;
       }
-
-      return rv;
     }
   }
 
-  return CURLE_OK;
+  return rv;
 }
 
 static char * nss_get_password(PK11SlotInfo * slot, PRBool retry, void *arg)
-- 
1.8.4.rc3