libnss replacement

Ryan Sleevi rsleevi at
Tue May 28 00:29:51 UTC 2019

On Fri, May 24, 2019 at 7:09 AM Valek, Andrej <andrej.valek at>

> Hello Everyone!
> I have found your nice project, which could solves my problems.
> I am trying to get rid of the libnss due to some problems.
> My application is QtWebengine + chromium based. Previously SSL
> certificates have been handled by openssl. Chromium read ca-certificates
> from /etc/ssl/certs, but from QT version 5.12.3 they have switched to used
> nss. When the application starts, it loads certificates from ~/.pki/nssdb .
> Application is still using the old certificates, even if I upload the new
> certificate and the nssdb is updated via certutil from ca-certificate
> update hook. Application just reads nssdb during starting. After
> application restarting, it re-loaded the library and worked. But this case
> is unwanted.

Since you mentioned Chromium and libnss - this isn't something p11-kit can
help with. While you're not using nssckbi anymore, you're still using
libnss for all of the certificate verification and operations, and libnss
(and the mozilla::pkix APIs that Chromium-based distributions use from
libnss) has a host of internal caches. Additionally, Chromium itself has a
host of internal caches, and officially, does not support your use case.

If you'd like to resolve this, you'd need to switch to using something
not-Chromium-based, not-libnss-based (although Chromium using the other
backends similarly makes no guarantee of immediate visibility of changes
absent process restarts), or maintain patches for or on top of QtWebEngine.
In any event, those are probably easily answered on a Chromium bug, with
the knowledge it may be WontFixed, but at least provide more thorough
answers if you have follow-up questions.

Hope that helps!

/Chromium maintainer of that code, who happens to lurk here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the p11-glue mailing list