Anton Bobrov wrote:
NSS_Shutdown returns a value indicating success for failure. It can
fail.
libldap *may* be holding references to NSS objects when you try to
shutdown
NSS. In general, I would not expect that you will be able to shutdown
NSS
underneath libldap, without the awareness and participation of libldap.
IMO, your best bet to to get libldap to shut down everything it knows
about
NSS and then shut down NSS.
Mike, i think Nelson is right here. it appears that we dont do necessary
cleanup within libssldap in order for what i suggested to work. i might
have been dreaming about this but somehow i thought that approach used
to work, maybe old NSS version/s were less strict on this, dunno. anyway
i did test this and you will always get SEC_ERROR_BUSY from NSS_Shutdown
right now. there is no public api available in libssldap today you can
call for cleanup before calling NSS_Shutdown. please open a bug for this
because i think there is need for sucha cleanup api OR perhaps we can
utilize NSS_RegisterShutdown so it will call our cleanup handler before
NSS shutdown and take the burden off users.
Or, make sure you call SSL_ClearSessionCache() before calling
NSS_Shutdown(). As Nelson said, NSS caches SSL client session
information - this cache must be cleared, otherwise NSS_Shutdown will
give an error (usually SEC_ERROR_BUSY). It is ok to call
SSL_ClearSessionCache multiple times.
The only issue I see with that approach is that libldap appears to open
the cert DB read-only. In order to be able to update it from your
program,
you'd have to open it read-write. That's feasible. I would be cleanest
if libldap was extended to do that, but you could do it yourself, with
your own alternative implementation of ldapssl_clientauth_init().
i think you can actually call NSS_Initialize() RW from within your app
then call ldapssl functions as before and since NSS will be already in
initialized state all subsequent init attempts from ldapssl functions
will be essentially no ops.
back to your original question and problem at hand i dont see any easy
workaround for this unless maybe Nelson can suggest some hack to force
NSS to shutdown which isnt right and probably pretty unsafe but if you
are desperate for some kinda workaround that might be it. apart from
that the only thing i can think of is doing fork() and doing ldapssl_*
reinit in the child process while making the parent quit.
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
