Hi Rob, Rob Crittenden schrieb: > If I'm reading this right it means you can't set SSL_DIR to point to a > sql database, right? I wonder if an extra bit of code to detect that > would be helpful. If you mean to set 'SSL_DIR=sql:/etc/pki/nssdb' then no; previously it was possible, but I thought it makes more sense to check for a valid dir rather than just passing the value of SSL_DIR blindly to NSS_Initialize().
> It will also silently skip bad directories. If you have a typo in > SSL_DIR it will default to using either the default database or try to > initialize a NULL string. yes, but that was before same, and I did already add an infof() to see if what directory is finally used. > Error reporting is pretty weak right now (my fault). Might be nice to > improve the message to include what was passed to NSS_Initialize when it > fails, particularly since it could be auto-generated (though the sql: > string might be confusing for some). agreed, but I thought we do first look at the 'sql:' prefix thing, and test that; after we have verified that this does not harm anything we should then in a second commit add any more informational or error output, and add a NSS section to docu; I started on that also already, but then stopped since my first approach was suggesting to use the env var NSS_DEFAULT_DB_TYPE, but that was a bad idea since it affects all other apps, and I wondered why my Thunderbird couldnt verify my mailserver's cert :) It was already my bad that I included the check for SSL_DIR with this patch - I should have splitted this into two patches since it has nothing to do with the prefixing. Of most interest might be if the patch behaves correctly with NSS versions < 3.12.0, so if you folks at RetHat have some older versions would be nice if you could give it a try ... Gün.
