Thanks for the patch.

Just blindly #defining HAVE_NSS_INITCONTEXT is no good. Isn't there an NSS version symbol we can check in the preprocessor, to make sure it's 3.12.5 or newer? Otherwise we'll need an autoconf test for the existence of the NSS_InitCOntext() function.

Ok. I'll change it to check for NSS version >= 3.12.5

...

This allows apps and libraries to initialize NSS from different contexts.

I've

...

also cleaned up some of the code around PEM file support. I also had to

call

...

SSL_SetURL in order to put the correct hostname in the SSL socket for cert validation.

I explicitly withheld the hostname to force our own cert validation function to be used. The NSS hostname validator's behavior is inconsistent with the LDAP spec.

That's the tlsm_session_chkhost() function? The problem is that the chkhost function is called too late - NSS attempts to perform the verification during the handshake process - by the time ldap_pvt_tls_check_hostname() is called in ldap_int_tls_start(), it's too late - NSS has failed - ldap_int_tls_connect() has returned an error.