curl / Mailing Lists / curl-library / Single Mail


Re: Multi-threading, NSS, client certificates and Linux problem

From: Pawel Veselov <>
Date: Thu, 19 Jan 2017 13:39:44 -0800

Hi Kamil.

On Thu, Jan 19, 2017 at 4:08 AM, Kamil Dudka <> wrote:
> On Thursday, January 19, 2017 00:27:57 Pawel Veselov wrote:
> > Running strace on the process, I can see NSS accessing the correct PEM
> > files, but simply not including the certificate (point #1). I assume there
> > are some invalid bits for point #2 (the correct certificate seems to be
> > included), but figuring it out is somewhat tedious. I assume that the
> > problems are related, and #1 is more clear cut.
> If you load certificates from files, you must be using the nss-pem PKCS #11
> module. Do you have any idea which version of nss-pem you are using?

1.0.2-2, at least on Fedora. It's actually your spec file that you
made for Fedora :)
>> * Wed Jun 22 2016 Kamil Dudka <> 1.0.2-2
>> - explicitly conflict with all nss builds with bundled nss-pem (#1347336)

> Could you please verify that the following patch is included?

Yes, it is included.

> > I was wondering whether this was a known problem, and what is the best
> > approach to debugging it. Considering I've not been around NSS or libcurl
> > code before, any pointers on where to dig would be highly appreciated.
> Could you please try to import the client certificates (and keys) to the
> NSS database by the pk12util tool and refer to them by their nicknames
> while using the CURLOPT_SSLCERT option of libcurl?

Things work perfectly fine if I use the database, i.e. no MT problems.
Unfortunately, this is not a workaround to what I'm trying to achieve,
but it is pointing to nss-pem as a culprit, isn't it? Anywhere in
particular you'd like me to dig in there?

P.S. I also discovered that if database is used (even if it just
exists, may be it needs to have a CA, may be it doesn't), then
CURLOPT_CAINFO is ignored, or at least the cert that is provided by it
is no longer trusted. May be because the same cert is in the DB, and
without the C flag. If it is the latter, it is probably still a
problem, because if I say I need to trust cert X, there is no other
way for me to do it (if it is a system database, for example).
List admin:
Received on 2017-01-19