--- /dev/null
+diff -u --recursive curl-7.18.2/lib/nss.c curl-7.18.2.new/lib/nss.c
+--- curl-7.18.2/lib/nss.c 2008-09-16 11:13:00.000000000 -0400
++++ curl-7.18.2.new/lib/nss.c 2008-09-16 11:29:13.000000000 -0400
+@@ -73,6 +73,8 @@
+
+ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
+
++PRLock * nss_initlock = NULL;
++
+ int initialized = 0;
+
+ #define HANDSHAKE_TIMEOUT 30
+@@ -719,8 +721,11 @@
+ */
+ int Curl_nss_init(void)
+ {
+- if(!initialized)
++ /* curl_global_init() is not thread-safe so this test is ok */
++ if (nss_initlock == NULL) {
+ PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
++ nss_initlock = PR_NewLock();
++ }
+
+ /* We will actually initialize NSS later */
+
+@@ -730,7 +735,17 @@
+ /* Global cleanup */
+ void Curl_nss_cleanup(void)
+ {
+- NSS_Shutdown();
++ /* This function isn't required to be threadsafe and this is only done
++ * as a safety feature.
++ */
++ PR_Lock(nss_initlock);
++ if (initialized)
++ NSS_Shutdown();
++ PR_Unlock(nss_initlock);
++
++ PR_DestroyLock(nss_initlock);
++ nss_initlock = NULL;
++
+ initialized = 0;
+ }
+
+@@ -808,7 +823,8 @@
+ return CURLE_OK;
+
+ /* FIXME. NSS doesn't support multiple databases open at the same time. */
+- if(!initialized) {
++ PR_Lock(nss_initlock);
++ if(!initialized && !NSS_IsInitialized()) {
+ initialized = 1;
+
+ certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
+@@ -832,6 +848,8 @@
+ if(rv != SECSuccess) {
+ infof(conn->data, "Unable to initialize NSS database\n");
+ curlerr = CURLE_SSL_CACERT_BADFILE;
++ PR_Unlock(nss_initlock);
++ initialized = 0;
+ goto error;
+ }
+
+@@ -854,6 +872,7 @@
+ }
+ #endif
+ }
++ PR_Unlock(nss_initlock);
+
+ model = PR_NewTCPSocket();
+ if(!model)
+Only in curl-7.18.2.new/lib: nss.c.orig