nss: allow to use multiple client certificates for a single host

In case a client certificate is used, invalidate SSL session cache
at the end of a session.  This forces NSS to ask for a new client
certificate when connecting second time to the same host.

Bug: https://bugzilla.redhat.com/689031

2 files changed, 6 insertions, 3 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 6d1cf4896..df95ef5d8 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -52,8 +52,8 @@ This release includes the following bugfixes:
  o progress output: don't print the last update on a separate line
  o POP3: the command to send is STLS, not STARTTLS
  o POP3: PASS command was not sent after upgrade to TLS
- o nss: fix a crash within SSL_AuthCertificate()
  o configure: fix libtool warning
+ o nss: allow to use multiple client certificates for a single host
 
 This release includes the following known bugs:
 
diff --git a/lib/nss.c b/lib/nss.c
index 7377e72fc..d93937755 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1046,8 +1046,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
 
   if(connssl->handle) {
-    PR_Close(connssl->handle);
-
     /* NSS closes the socket we previously handed to it, so we must mark it
        as closed to avoid double close */
     fake_sclose(conn->sock[sockindex]);
@@ -1055,12 +1053,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
     if(connssl->client_nickname != NULL) {
       free(connssl->client_nickname);
       connssl->client_nickname = NULL;
+
+      /* force NSS to ask again for a client cert when connecting
+       * next time to the same server */
+      SSL_InvalidateSession(connssl->handle);
     }
 #ifdef HAVE_PK11_CREATEGENERICOBJECT
     /* destroy all NSS objects in order to avoid failure of NSS shutdown */
     Curl_llist_destroy(connssl->obj_list, NULL);
     connssl->obj_list = NULL;
 #endif
+    PR_Close(connssl->handle);
     connssl->handle = NULL;
   }
 }