On Friday, April 07, 2017 18:46:33 Kai Engert wrote: > You convinced me, that it would be good to have test cases to demonstrate > how nss/openssl/gnutls are behaving related to the distrust rules. > > I setup the following page, wich provides multiple test cases, and > intructions how to test: > https://kuix.de/misc/test-distrust/ Thanks! I can confirm it works as expected if I load p11-kit-trust.so instead of using nss-pem to load the CA bundle from file. However, it might be not so easy to switch curl to use it because the trust is global. If we make libcurl load/unload the whole module per connection, it will hardly work as expected in case we run multiple handshakes in parallel. Anyway, I guess we should move this discussion to some curl- or nss-related channel... Kamil > Kai _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
