From eb0b3acbc1beb08489222ed713ac387ca900fe90 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 19 Sep 2018 10:05:56 +0200 Subject: [PATCH] nss: try to connect even if libnssckbi.so fails to load One can still use CA certificates stored in NSS database. Reported-by: Maxime Legros Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html Closes #3016 --- lib/vtls/nss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 4eb6a7792..0c5a806f1 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1578,8 +1578,9 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, infof(data, "%s %s\n", (result) ? "failed to load" : "loaded", trust_library); if(result == CURLE_FAILED_INIT) - /* make the error non-fatal if we are not going to verify peer */ - result = CURLE_SSL_CACERT_BADFILE; + /* If libnssckbi.so is not available (or fails to load), one can still + use CA certificates stored in NSS database. Ignore the failure. */ + result = CURLE_OK; } else if(!use_trust_module && trust_module) { /* libnssckbi.so not needed but already loaded --> unload it! */