cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Security question about SSL Beast

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 23 Apr 2012 19:38:12 +0200

On Monday 23 April 2012 17:06:27 Yang Tse wrote:
> On Mon, Apr 23, 2012 at 2:01 PM, Kamil Dudka <kdudka_at_redhat.com> wrote:
> > You can try to compile libcurl against NSS instead of OpenSSL.  NSS uses
> > another approach to prevent this kind of attack and does not send empty
> > packets.
>
> Honest question...
>
> Which is current situation regarding libnsspem library availability
> outside of RH universe?

The good news is that the libnsspem library finally has an upstream:

https://fedorahosted.org/nss-pem/browser

The long term goal is to merge the sources directly to NSS upstream, although
I doubt it will happen anytime soon. We have also fixed a bunch of bugs as
you can see from the Revision Log:

https://fedorahosted.org/nss-pem/log/

> It seems it is required in order to allow
> usage and interoperability with PEM certificates.

If you need to handle them in the same way as with OpenSSL, it is indeed
required. Another choice is to put the required certificates and keys to
the NSS database. The database can be shared with Firefox, Thunderbird,
and other applications using NSS.

Kamil

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-23