cURL / Mailing Lists / curl-users / Single Mail

curl-users

Patch to add NSS support to curl

From: Rob Crittenden <rcritten_at_redhat.com>
Date: Tue, 23 Jan 2007 10:53:29 -0500

Attached is a patch against CVS I add Network Security Services (NSS)
support to curl (http://www.mozilla.org/projects/security/pki/nss/). NSS
is the SSL engine used in Firefox and Thunderbird (among others). This
was developed on Fedora Core 6 against NSS 3.11.4 and NSPR 4.6.4 but it
should work on other OS's as well. I'm not 100% sure I got the magic
right for detection of NSPR and NSS locations so feedback is welcome.

NSS uses a Berkeley database for its certificate and key store so the
semantics of certs and keys are a bit different. In an attempt to play
nice with the existing arguments, here is what I've added support for:

-k : Allow connections to SSL sites without certs

--cacert /path/to/dbdir : Specify the directory where the NSS
certificate and key database resides

--tlsv1, --sslv2, --sslv3 : select the SSL protocol

--cipher cipher1,cipher2,... : only allow these ciphers. The cipher list
is not compatible with OpenSSL/GNUtls. At this point you'd need to look
at the source. I wante to add a usage containing a list of available
ciphers but the failf() buffer is limited to 256 bytes.

--pass : the NSS database password. It will prompt via the tty if one is
required but not passed in

--cert nickname : NSS uses a nickname for each certificate. Pass in the
nickname of the client certificate you want to use.

Some simple manual tests I did worked ok and it passes all of the
built-in tests.

So an example run with a client certificate and a single cipher is:

% curl --cipher rsa_rc4_128_sha --pass secret --cert alpha --cacert
/tmp/mycertdb https://localhost:8443/

regards

rob

Received on 2007-01-23