diff -ruNp curl-7.19.5.orig/lib/nss.c curl-7.19.5/lib/nss.c --- curl-7.19.5.orig/lib/nss.c 2009-07-22 10:28:01.254355601 +0200 +++ curl-7.19.5/lib/nss.c 2009-07-22 10:29:02.437231090 +0200 @@ -857,9 +857,15 @@ void Curl_nss_cleanup(void) */ PR_Lock(nss_initlock); if (initialized) { - if(mod) + /* Free references to client certificates held in the SSL session cache. + * Omitting this hampers destruction of the security module owning + * the certificates. */ + SSL_ClearSessionCache(); + + if(mod && SECSuccess == SECMOD_UnloadUserModule(mod)) { SECMOD_DestroyModule(mod); - mod = NULL; + mod = NULL; + } NSS_Shutdown(); } PR_Unlock(nss_initlock); @@ -940,9 +946,6 @@ CURLcode Curl_nss_connect(struct connect curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECStatus rv; -#ifdef HAVE_PK11_CREATEGENERICOBJECT - char *configstring = NULL; -#endif char *certDir = NULL; int curlerr; const int *cipher_to_enable; @@ -995,21 +998,23 @@ CURLcode Curl_nss_connect(struct connect NSS_SetDomesticPolicy(); #ifdef HAVE_PK11_CREATEGENERICOBJECT - configstring = aprintf("library=%s name=PEM", pem_library); - if(!configstring) { - PR_Unlock(nss_initlock); - goto error; - } - mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE); - free(configstring); + if(!mod) { + char *configstring = aprintf("library=%s name=PEM", pem_library); + if(!configstring) { + PR_Unlock(nss_initlock); + goto error; + } + mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE); + free(configstring); - if(!mod || !mod->loaded) { - if(mod) { - SECMOD_DestroyModule(mod); - mod = NULL; + if(!mod || !mod->loaded) { + if(mod) { + SECMOD_DestroyModule(mod); + mod = NULL; + } + infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL " + "PEM certificates will not work.\n", pem_library); } - infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL " - "PEM certificates will not work.\n", pem_library); } #endif }