From 70d2235dfbe3070e786ddf5024f03516b431bab3 Mon Sep 17 00:00:00 2001
From: rcritten <>
Date: Aug 04 2005 16:18:49 +0000
Subject: Properly clean up the SSL environment so NSS can be shut down gracefully.


---

diff --git a/nss_engine_init.c b/nss_engine_init.c
index a73e463..beeafcd 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -362,7 +362,7 @@ static void nss_init_ctx_protocol(server_rec *s,
 
     if (mctx->auth.protocols == NULL) {
         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-            "SSLProtocols not set; using: SSLv3 and TLSv1");
+            "NSSProtocols not set; using: SSLv3 and TLSv1");
         ssl3 = tls = 1;
     } else {
         lprotocols = strdup(mctx->auth.protocols);
@@ -659,6 +659,7 @@ static void nss_init_server_certs(server_rec *s,
     }
     
     mctx->serverkey = PK11_FindPrivateKeyFromCert(slot, mctx->servercert, NULL);
+    PK11_FreeSlot(slot);
 
     if (mctx->serverkey == NULL) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
@@ -703,6 +704,7 @@ static void nss_init_server_certs(server_rec *s,
         nss_die();
     }
     
+#if 1
     secstatus = SSL_ConfigSecureServer(mctx->model, mctx->servercert, mctx->serverkey, mctx->serverKEAType);
     if (secstatus != SECSuccess) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
@@ -710,6 +712,7 @@ static void nss_init_server_certs(server_rec *s,
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
     }
+#endif
 
     secstatus = (SECStatus)SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback)NSSHandshakeCallback, NULL);
     if (secstatus != SECSuccess)
@@ -760,11 +763,34 @@ void nss_init_Child(apr_pool_t *p, server_rec *s)
 
 apr_status_t nss_init_ModuleKill(void *data)
 {
-    /* 
-     * There is nothing stored at the server level to kill at the moment.
+    SSLSrvConfigRec *sc;
+    server_rec *base_server = (server_rec *)data;
+    server_rec *s;
+    SECStatus rv;
+
+    /*
+     * Free the non-pool allocated structures
+     * in the per-server configurations
      */
+    for (s = base_server; s; s = s->next) {
+        sc = mySrvConfig(s);
+
+        if (sc->enabled) {
+            CERT_DestroyCertificate(sc->server->servercert);
+            SECKEY_DestroyPrivateKey(sc->server->serverkey);
+
+            /* Closing this implicitly cleans up the copy of the certificates
+             * and keys associated with any SSL socket */
+            PR_Close(sc->server->model);
+        }
+    }
+
+    if ((rv = NSS_Shutdown()) != SECSuccess) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+             "NSS_Shutdown failed: %d", PR_GetError());
+    }
 
-    NSS_Shutdown();
+    PR_Cleanup();
 
     return APR_SUCCESS;
 }
diff --git a/nss_engine_pphrase.c b/nss_engine_pphrase.c
index 61324d7..7524511 100644
--- a/nss_engine_pphrase.c
+++ b/nss_engine_pphrase.c
@@ -70,6 +70,7 @@ SECStatus nss_Init_Tokens(server_rec *s)
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "The token %s has not been initialized.", PK11_GetTokenName(slot));
             }
+            PK11_FreeSlot(slot);
             continue;
         }
 
@@ -79,6 +80,7 @@ SECStatus nss_Init_Tokens(server_rec *s)
             break;
         }
         parg->retryCount = 0; // reset counter to 0 for the next token
+        PK11_FreeSlot(slot);
     }
     
     /*