On Monday, July 28, 2014 11:56:46 David Shaw wrote:
> On Jul 28, 2014, at 10:24 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:
> > On Thursday, July 24, 2014 17:18:25 David Shaw wrote:
> >> Hello,
> >>
> >> A good while back I had some code that needed to use the NSS CAs only
> >> (and
> >> not the PEM ca-bundle file). I did this by symlinking libnssckbi.so into
> >> my nssdb (so NSS would have the CA certs),
> >
> > I am not sure how this is supposed to work. Is it documented anywhere?
>
> It's mentioned here: http://curl.haxx.se/docs/sslcerts.html

Thanks for the pointer! I was not aware of that. This probably stopped
working because of the following change (which helps to prevent collisions
on NSS initialization/shutdown with other libraries):

https://github.com/bagder/curl/commit/20cb12db

NSS_InitContext() internally calls nss_Init() with the noRootInit flag set,
which is intentional I am afraid.

I would propose to just remove the outdated statement from the documentation.

> Certainly a "certutil -d /etc/pki/nssdb -L -h all" does show all the CAs
> with the symlink in place, and shows nothing without the symlink in place.
>
> I also tried "modutil -dbdir /etc/pki/nssdb -add ca_certs -libfile
> /usr/lib64/libnssckbi.so", which had the same result (certutil shows all
> the CAs, and removing that module makes certutil show nothing), but it
> similarly didn't work when done through curl.
>
> Is there an alternate way to give NSS a set of CAs without importing each
> one specifically?
>
> David

You can reintroduce the old behavior by initializing NSS in your application:

    NSS_Initialize("sql:/etc/pki/nssdb", "", "", "", NSS_INIT_READONLY);

        // insert the code of your example here...

    NSS_Shutdown();

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-28