From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 19 Sep 2018 08:05:56 +0000 (+0200)
Subject: nss: try to connect even if libnssckbi.so fails to load
X-Git-Tag: curl-7_62_0~164
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb0b3acbc1beb08489222ed713ac387ca900fe90;p=thirdparty%2Fcurl.git

nss: try to connect even if libnssckbi.so fails to load

One can still use CA certificates stored in NSS database.

Reported-by: Maxime Legros
Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html

Closes #3016
---

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 4eb6a77921..0c5a806f12 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1578,8 +1578,9 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,
     infof(data, "%s %s\n", (result) ? "failed to load" : "loaded",
           trust_library);
     if(result == CURLE_FAILED_INIT)
-      /* make the error non-fatal if we are not going to verify peer */
-      result = CURLE_SSL_CACERT_BADFILE;
+      /* If libnssckbi.so is not available (or fails to load), one can still
+         use CA certificates stored in NSS database.  Ignore the failure. */
+      result = CURLE_OK;
   }
   else if(!use_trust_module && trust_module) {
     /* libnssckbi.so not needed but already loaded --> unload it! */