On Monday, July 28, 2014 11:56:46 David Shaw wrote: > On Jul 28, 2014, at 10:24 AM, Kamil Dudka <kdu...@redhat.com> wrote: > > On Thursday, July 24, 2014 17:18:25 David Shaw wrote: > >> Hello, > >> > >> A good while back I had some code that needed to use the NSS CAs only > >> (and > >> not the PEM ca-bundle file). I did this by symlinking libnssckbi.so into > >> my nssdb (so NSS would have the CA certs), > > > > I am not sure how this is supposed to work. Is it documented anywhere? > > It's mentioned here: http://curl.haxx.se/docs/sslcerts.html
Thanks for the pointer! I was not aware of that. This probably stopped working because of the following change (which helps to prevent collisions on NSS initialization/shutdown with other libraries): https://github.com/bagder/curl/commit/20cb12db NSS_InitContext() internally calls nss_Init() with the noRootInit flag set, which is intentional I am afraid. I would propose to just remove the outdated statement from the documentation. > Certainly a "certutil -d /etc/pki/nssdb -L -h all" does show all the CAs > with the symlink in place, and shows nothing without the symlink in place. > > I also tried "modutil -dbdir /etc/pki/nssdb -add ca_certs -libfile > /usr/lib64/libnssckbi.so", which had the same result (certutil shows all > the CAs, and removing that module makes certutil show nothing), but it > similarly didn't work when done through curl. > > Is there an alternate way to give NSS a set of CAs without importing each > one specifically? > > David You can reintroduce the old behavior by initializing NSS in your application: NSS_Initialize("sql:/etc/pki/nssdb", "", "", "", NSS_INIT_READONLY); // insert the code of your example here... NSS_Shutdown(); Kamil ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
