curl / Mailing Lists / curl-library / Single Mail


Re: Multi-threading, NSS, client certificates and Linux problem

From: Kamil Dudka <>
Date: Thu, 19 Jan 2017 13:08 +0100

On Thursday, January 19, 2017 00:27:57 Pawel Veselov wrote:
> Running strace on the process, I can see NSS accessing the correct PEM
> files, but simply not including the certificate (point #1). I assume there
> are some invalid bits for point #2 (the correct certificate seems to be
> included), but figuring it out is somewhat tedious. I assume that the
> problems are related, and #1 is more clear cut.

If you load certificates from files, you must be using the nss-pem PKCS #11
module. Do you have any idea which version of nss-pem you are using?

Could you please verify that the following patch is included?

The importing part of the patch is 'return CKR_CANT_LOCK;' which tells CKFW
that the nss-pem module is not thread safe during its initialization.

> I was wondering whether this was a known problem, and what is the best
> approach to debugging it. Considering I've not been around NSS or libcurl
> code before, any pointers on where to dig would be highly appreciated.

Could you please try to import the client certificates (and keys) to the
NSS database by the pk12util tool and refer to them by their nicknames
while using the CURLOPT_SSLCERT option of libcurl?

List admin:
Received on 2017-01-19