Close the proxy model socket so NSS can be shutdown gracefully. Also

correct an error where the PKCS#11 slot isn't closed unless a the
certificate key is obtained. This also affected NSS_Shutdown().

1 files changed, 14 insertions, 4 deletions

diff --git a/nss_engine_init.c b/nss_engine_init.c
index a9ae8d0..6f33db4 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -756,11 +756,11 @@ static void nss_init_server_certs(server_rec *s,
         nss_die();
     }
 
-    if (mctx->nickname != NULL)
+    if (mctx->nickname != NULL) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
              "Using nickname %s.", mctx->nickname);
-
-    mctx->servercert = FindServerCertFromNickname(mctx->nickname);
+        mctx->servercert = FindServerCertFromNickname(mctx->nickname);
+    }
 
     /* Verify the certificate chain. */
     if (mctx->servercert != NULL && mctx->as_server) {
@@ -812,8 +812,8 @@ static void nss_init_server_certs(server_rec *s,
     
     if (mctx->servercert) {
         mctx->serverkey = PK11_FindPrivateKeyFromCert(slot, mctx->servercert, NULL);
-        PK11_FreeSlot(slot);
     }
+    PK11_FreeSlot(slot);
 
     if (mctx->as_server && mctx->serverkey == NULL) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
@@ -952,6 +952,16 @@ apr_status_t nss_init_ModuleKill(void *data)
 
             shutdowncache = 1;
         }
+        if (sc->proxy_enabled) {
+            if (sc->proxy->servercert != NULL) {
+                CERT_DestroyCertificate(sc->proxy->servercert);
+                SECKEY_DestroyPrivateKey(sc->proxy->serverkey);
+            }
+
+            /* Closing this implicitly cleans up the copy of the certificates
+             * and keys associated with any SSL socket */
+            PR_Close(sc->proxy->model);
+        }
     }
 
     if (shutdowncache)