Commit 1a6e7da1 authored by Kamil Dudka's avatar Kamil Dudka
Browse files

nss: allow to use multiple client certificates for a single host 

In case a client certificate is used, invalidate SSL session cache
at the end of a session.  This forces NSS to ask for a new client
certificate when connecting second time to the same host.

Bug: https://bugzilla.redhat.com/689031
parent 23544f35

RELEASE-NOTES

+1 −1
Original line number Diff line number Diff line
@@ -52,8 +52,8 @@ This release includes the following bugfixes: 
 o progress output: don't print the last update on a separate line

 o POP3: the command to send is STLS, not STARTTLS

 o POP3: PASS command was not sent after upgrade to TLS

 o nss: fix a crash within SSL_AuthCertificate()

 o configure: fix libtool warning

 o nss: allow to use multiple client certificates for a single host



This release includes the following known bugs:

lib/nss.c

+5 −2
Original line number Diff line number Diff line
@@ -1046,8 +1046,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) 
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];



  if(connssl->handle) {

    PR_Close(connssl->handle);



    /* NSS closes the socket we previously handed to it, so we must mark it

       as closed to avoid double close */

    fake_sclose(conn->sock[sockindex]);
@@ -1055,12 +1053,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) 
    if(connssl->client_nickname != NULL) {

      free(connssl->client_nickname);

      connssl->client_nickname = NULL;



      /* force NSS to ask again for a client cert when connecting

       * next time to the same server */

      SSL_InvalidateSession(connssl->handle);

    }

#ifdef HAVE_PK11_CREATEGENERICOBJECT

    /* destroy all NSS objects in order to avoid failure of NSS shutdown */

    Curl_llist_destroy(connssl->obj_list, NULL);

    connssl->obj_list = NULL;

#endif

    PR_Close(connssl->handle);

    connssl->handle = NULL;

  }

}