Dan Winship wrote:
Adam Goode wrote:* We are trying to use TLS from a library. The NSS documentation seems to suggest that calling NSS_Init more than once is bad. It doesn't look like it would be safe to call NSS_Init from a library. Really NSS should be returning a context object that encapsulates all NSS state, yes?Yes. https://bugzilla.redhat.com/show_bug.cgi?id=466313
The thing about NSS_Init is that the first caller wins. Subsequent calls will silently succeed but you'll be using the initial database. It is possible to open multiple NSS databases in a single process you just don't use NSS_Init to open subsequent ones.
Per the bug it isn't really expected for people to use the SSL_DIR environment variable. Since this provides compatibility with OpenSSL one can continue to use the same PEM files. NSS has a PKCS#11 module which can load these into an in-memory NSS database for use. I'm not discouraging its use but may simply be easier to use PEM files for now.
It almost seems like a little more work is needed in NSS before it can really work as the one true crypto library.Agreed. Right now it's really only designed to be used directly by applications, not by other libraries. -- Dan
I think some NSS work that is expected to appear in F12 will move things a great deal closer to this goal.
Description: S/MIME Cryptographic Signature