On Wednesday 18 January 2012 04:33:34 David Shaw wrote: > Hi, > > When built with NSS, and if libnsspem.so is available, curl can handle > PEM-formatted cert files. I'd like to use the "regular" NSS cert storage > alone, but this is difficult as if a CA bundle is available, curl will > load it, and use it in addition to the NSS DB. > > I'm able to work around this behavior by passing NULL to CURLOPT_CAINFO so > nothing is loaded, but this only works when I'm using libcurl. Is there > some way to not load any PEM files when using the curl command line?
The only way I am aware of is to recompile libcurl with --without-ca-bundle, but I agree this should be more flexible. Is this issue really specific to NSS? > Alternately, and perhaps even better, is there a way to disable > libnsspem.so altogether (perhaps via the pkcs11.txt config file?) libnsspem.so is being loaded directly by libcurl. The code dealing with libnsspem.so is #ifdef'd by HAVE_PK11_CREATEGENERICOBJECT, but there is no option in configure to disable this feature explicitly atm. Maybe we should introduce a compile-time option to disable libnsspem.so completely and give that define a more meaningful name. If there is no objection, I will prepare a patch for that. Kamil ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
