cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: problem with NSS backend and threads

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 17 Aug 2016 10:42:38 +0200

On Wednesday, August 17, 2016 17:13:13 Peter Wang wrote:
> Hi,
>
> I have hit a problem with the NSS TLS backend when used from multiple
> threads concurrently. A test case is attached.
>
> Briefly, a number of threads try to request an https URL each, at nearly
> the same time. Sometimes it works, but every few runs[1] it produces
> the error message:
>
> error 77: Problem with the SSL CA cert (path? access rights?)
>
> I have traced the problem to this line in nss_create_object():
>
> slot = PK11_FindSlotByName(slot_name);
>
> If I serialise the call then the error does not (seem to) occur,
> e.g. arbitrarily using nss_crllock:
>
> PR_Lock(nss_crllock);
> slot = PK11_FindSlotByName(slot_name);
> PR_Unlock(nss_crllock);

Do I understand it correctly that PK11_FindSlotByName(slot_name) returns NULL?
What is the output of PR_GetError() in that case?

> I had a look at PK11_FindSlotByName() but I don't know what it's supposed
> to be doing. Any help would be appreciated.

It returns a PKCS #11 slot named "PEM Token #0", nothing unexpected IMO...

Kamil

> Peter
>
> [1] The test system is a CentOS 7 VM with 4 cores. I used the system
> libcurl (7.29.0) and also the latest release libcurl/7.50.1, both with
> the system supplied NSS (3.21).
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-08-17