From 1a6e7da13d1bf14c09cb0509c114ba9bd3cac79f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 1 Apr 2011 16:31:28 +0200 Subject: nss: allow to use multiple client certificates for a single host In case a client certificate is used, invalidate SSL session cache at the end of a session. This forces NSS to ask for a new client certificate when connecting second time to the same host. Bug: https://bugzilla.redhat.com/689031 --- lib/nss.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/nss.c b/lib/nss.c index 7377e72fc..d93937755 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1046,8 +1046,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) struct ssl_connect_data *connssl = &conn->ssl[sockindex]; if(connssl->handle) { - PR_Close(connssl->handle); - /* NSS closes the socket we previously handed to it, so we must mark it as closed to avoid double close */ fake_sclose(conn->sock[sockindex]); @@ -1055,12 +1053,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) if(connssl->client_nickname != NULL) { free(connssl->client_nickname); connssl->client_nickname = NULL; + + /* force NSS to ask again for a client cert when connecting + * next time to the same server */ + SSL_InvalidateSession(connssl->handle); } #ifdef HAVE_PK11_CREATEGENERICOBJECT /* destroy all NSS objects in order to avoid failure of NSS shutdown */ Curl_llist_destroy(connssl->obj_list, NULL); connssl->obj_list = NULL; #endif + PR_Close(connssl->handle); connssl->handle = NULL; } } -- cgit v1.2.3