curl-users
Patch to add NSS support to curl
Date: Tue, 23 Jan 2007 10:53:29 -0500
Attached is a patch against CVS I add Network Security Services (NSS)
support to curl (http://www.mozilla.org/projects/security/pki/nss/). NSS
is the SSL engine used in Firefox and Thunderbird (among others). This
was developed on Fedora Core 6 against NSS 3.11.4 and NSPR 4.6.4 but it
should work on other OS's as well. I'm not 100% sure I got the magic
right for detection of NSPR and NSS locations so feedback is welcome.
NSS uses a Berkeley database for its certificate and key store so the
semantics of certs and keys are a bit different. In an attempt to play
nice with the existing arguments, here is what I've added support for:
-k : Allow connections to SSL sites without certs
--cacert /path/to/dbdir : Specify the directory where the NSS
certificate and key database resides
--tlsv1, --sslv2, --sslv3 : select the SSL protocol
--cipher cipher1,cipher2,... : only allow these ciphers. The cipher list
is not compatible with OpenSSL/GNUtls. At this point you'd need to look
at the source. I wante to add a usage containing a list of available
ciphers but the failf() buffer is limited to 256 bytes.
--pass : the NSS database password. It will prompt via the tty if one is
required but not passed in
--cert nickname : NSS uses a nickname for each certificate. Pass in the
nickname of the client certificate you want to use.
Some simple manual tests I did worked ok and it passes all of the
built-in tests.
So an example run with a client certificate and a single cipher is:
% curl --cipher rsa_rc4_128_sha --pass secret --cert alpha --cacert
/tmp/mycertdb https://localhost:8443/
regards
rob
- text/x-patch attachment: curl-nss.patch
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature