diff -ruNp curl-7.19.4.orig/lib/nss.c curl-7.19.4/lib/nss.c

--- curl-7.19.4.orig/lib/nss.c	2009-04-27 09:48:12.548102000 +0200

+++ curl-7.19.4/lib/nss.c	2009-04-27 09:48:32.993420443 +0200

@@ -527,6 +527,7 @@ static int nss_load_key(struct connectda

     return 0;

   }

   free(parg);

+  PK11_FreeSlot(slot);

   return 1;

 #else

@@ -819,9 +820,9 @@ static SECStatus SelectClientCert(void *

                                   struct CERTCertificateStr **pRetCert,

                                   struct SECKEYPrivateKeyStr **pRetKey)

 {

-  CERTCertificate *cert;

   SECKEYPrivateKey *privKey;

-  char *nickname = (char *)arg;

+  struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;

+  char *nickname = connssl->client_nickname;

   void *proto_win = NULL;

   SECStatus secStatus = SECFailure;

   PK11SlotInfo *slot;

@@ -832,34 +833,35 @@ static SECStatus SelectClientCert(void *

   if(!nickname)

     return secStatus;

-  cert = PK11_FindCertFromNickname(nickname, proto_win);

-  if(cert) {

+  connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);

+  if(connssl->client_cert) {

     if(!strncmp(nickname, "PEM Token", 9)) {

       CK_SLOT_ID slotID = 1; /* hardcoded for now */

       char slotname[SLOTSIZE];

       snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);

       slot = PK11_FindSlotByName(slotname);

-      privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);

+      privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);

       PK11_FreeSlot(slot);

       if(privKey) {

         secStatus = SECSuccess;

       }

     }

     else {

-      privKey = PK11_FindKeyByAnyCert(cert, proto_win);

+      privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);

       if(privKey)

         secStatus = SECSuccess;

     }

   }

   if(secStatus == SECSuccess) {

-    *pRetCert = cert;

+    *pRetCert = connssl->client_cert;

     *pRetKey = privKey;

   }

   else {

-    if(cert)

-      CERT_DestroyCertificate(cert);

+    if(connssl->client_cert)

+      CERT_DestroyCertificate(connssl->client_cert);

+    connssl->client_cert = NULL;

   }

   return secStatus;

@@ -891,8 +893,12 @@ void Curl_nss_cleanup(void)

    * as a safety feature.

    */

   PR_Lock(nss_initlock);

-  if (initialized)

+  if (initialized) {

+    if(mod)

+      SECMOD_DestroyModule(mod);

+    mod = NULL;

     NSS_Shutdown();

+  }

   PR_Unlock(nss_initlock);

   PR_DestroyLock(nss_initlock);

@@ -940,6 +946,8 @@ void Curl_nss_close(struct connectdata *

       free(connssl->client_nickname);

       connssl->client_nickname = NULL;

     }

+    if(connssl->client_cert)

+      CERT_DestroyCertificate(connssl->client_cert);

     if(connssl->key)

       (void)PK11_DestroyGenericObject(connssl->key);

     if(connssl->cacert[1])

@@ -981,6 +989,7 @@ CURLcode Curl_nss_connect(struct connect

   if (connssl->state == ssl_connection_complete)

     return CURLE_OK;

+  connssl->client_cert = NULL;

   connssl->cacert[0] = NULL;

   connssl->cacert[1] = NULL;

   connssl->key = NULL;

@@ -1207,8 +1216,7 @@ CURLcode Curl_nss_connect(struct connect

     if(SSL_GetClientAuthDataHook(model,

                                  (SSLGetClientAuthData) SelectClientCert,

-                                 (void *)connssl->client_nickname) !=

-       SECSuccess) {

+                                 (void *)connssl) != SECSuccess) {

       curlerr = CURLE_SSL_CERTPROBLEM;

       goto error;

     }

diff -ruNp curl-7.19.4.orig/lib/urldata.h curl-7.19.4/lib/urldata.h

--- curl-7.19.4.orig/lib/urldata.h	2009-04-27 09:48:12.550102000 +0200

+++ curl-7.19.4/lib/urldata.h	2009-04-27 09:48:19.821215391 +0200

@@ -211,6 +211,7 @@ struct ssl_connect_data {

 #ifdef USE_NSS

   PRFileDesc *handle;

   char *client_nickname;

+  CERTCertificate *client_cert;

 #ifdef HAVE_PK11_CREATEGENERICOBJECT

   PK11GenericObject *key;

   PK11GenericObject *cacert[2];