Skip to content

Commit 7700fcb

Browse files
committed
nss: refuse previously loaded certificate from file
... when we are not asked to use a certificate from file
1 parent 822082d commit 7700fcb

File tree

2 files changed

+8
-1
lines changed

2 files changed

+8
-1
lines changed

Diff for: RELEASE-NOTES

+1
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ This release includes the following bugfixes:
3737
o SOCKS: display the hostname returned by the SOCKS5 proxy server
3838
o sasl: Don't use GSSAPI authentication when domain name not specified [16]
3939
o win: Basic support for Universal Windows Platform apps [17]
40+
o nss: fix incorrect use of a previously loaded certificate from file
4041

4142
This release includes the following known bugs:
4243

Diff for: lib/vtls/nss.c

+7-1
Original file line numberDiff line numberDiff line change
@@ -1002,10 +1002,10 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
10021002
struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
10031003
struct Curl_easy *data = connssl->data;
10041004
const char *nickname = connssl->client_nickname;
1005+
static const char pem_slotname[] = "PEM Token #1";
10051006

10061007
if(connssl->obj_clicert) {
10071008
/* use the cert/key provided by PEM reader */
1008-
static const char pem_slotname[] = "PEM Token #1";
10091009
SECItem cert_der = { 0, NULL, 0 };
10101010
void *proto_win = SSL_RevealPinArg(sock);
10111011
struct CERTCertificateStr *cert;
@@ -1067,6 +1067,12 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
10671067
if(NULL == nickname)
10681068
nickname = "[unknown]";
10691069

1070+
if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
1071+
failf(data, "NSS: refusing previously loaded certificate from file: %s",
1072+
nickname);
1073+
return SECFailure;
1074+
}
1075+
10701076
if(NULL == *pRetKey) {
10711077
failf(data, "NSS: private key not found for certificate: %s", nickname);
10721078
return SECFailure;

0 commit comments

Comments
 (0)