On Fri, May 24, 2019 at 7:09 AM Valek, Andrej <[email protected]> wrote:
> Hello Everyone! > > > > I have found your nice project, which could solves my problems. > > > > I am trying to get rid of the libnss due to some problems. > > My application is QtWebengine + chromium based. Previously SSL > certificates have been handled by openssl. Chromium read ca-certificates > from /etc/ssl/certs, but from QT version 5.12.3 they have switched to used > nss. When the application starts, it loads certificates from ~/.pki/nssdb . > Application is still using the old certificates, even if I upload the new > certificate and the nssdb is updated via certutil from ca-certificate > update hook. Application just reads nssdb during starting. After > application restarting, it re-loaded the library and worked. But this case > is unwanted. > Since you mentioned Chromium and libnss - this isn't something p11-kit can help with. While you're not using nssckbi anymore, you're still using libnss for all of the certificate verification and operations, and libnss (and the mozilla::pkix APIs that Chromium-based distributions use from libnss) has a host of internal caches. Additionally, Chromium itself has a host of internal caches, and officially, does not support your use case. If you'd like to resolve this, you'd need to switch to using something not-Chromium-based, not-libnss-based (although Chromium using the other backends similarly makes no guarantee of immediate visibility of changes absent process restarts), or maintain patches for or on top of QtWebEngine. In any event, those are probably easily answered on a Chromium bug, with the knowledge it may be WontFixed, but at least provide more thorough answers if you have follow-up questions. Hope that helps! /Chromium maintainer of that code, who happens to lurk here.
_______________________________________________ p11-glue mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/p11-glue
