> $HOME/.pki/nssdb - user's private keys wouldn't work otherwise. > If you point NSS at /etc/pki/nssdb, it will load both it and (In reply to Hubert Kario from comment #20) It sounds like the NSS bug should be looked at first.
How can we write a patch for libcurl then? :-) > /etc/pki/nssdb/pkcs11.txt) or whether that will end up conflicting with a > even clear if it makes sense to manually load p11-kit-proxy.so (or add it to If the certificate is specified by nickname, libcurl just passes the callback over to NSS_GetClientAuthData(). libcurl overrides the SelectClientCert() hook only for certificates loaded from files (detected by slash occurring in the name). So we need to make NSS accept RFC7512 URIs as certificate nicknames. > /etc/pki/nssdb/pkcs11.txt I don't think there's any way to get curl to let > work around that by manually adding a PKCS#11 token to
> Only part of this bug will go away if bug #1173577 is fixed. (In reply to David Woodhouse from comment #8)
If I build curl for myself, against GnuTLS instead of NSS, *then* it works. * NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT) * CAfile: /etc/pki/tls/certs/ca-bundle.crt * Initializing NSS with certpath: sql:/etc/pki/nssdb