cURL / Mailing Lists / curl-users / Single Mail

curl-users

curl & nss excessive initialization time

From: Barry Beckham <barry.b.beckham_at_gmail.com>
Date: Thu, 12 Dec 2013 10:57:46 -0800

Hello,

I'm currently trying to migrate from a RHEL5 -> RHEL6 box, which includes a
switch from curl using openssl -> nss by default.

I'm encountering a severe performance hit with curl + nss when attempting
to hit a HTTPS endpoint that requires client cert authentication, to the
tune of an additional ~1s in pre-transfer time.

From debugging, this appears to be related to the nss initialization phase
and reading the client cert that is sent to the server. I'm opening a
ticket with the nss mailing list as well, but wanted to throw the issue out
here as well in case anyone has insight.

Versions:
RHEL 6.4
libcurl-7.19.7-37.el6_4.x86_64
curl-7.19.7-37.el6_4.x86_64
nss-3.14.3-4.el6_4.x86_64

Example ssldump of problematic connection start:

TCP: <client>(51588) -> <server>(443) Seq 230486183.(0) SYN
TCP: <server>(443) -> <client>(51588) Seq 1803468462.(0) ACK 230486184
SYN
TCP: <client>(51588) -> <server>(443) Seq 230486184.(0) ACK 1803468463
New TCP connection #3: <client>(51588) <-> <server>(443)
TCP: <client>(51588) -> <server>(443) Seq 230486184.(96) ACK 1803468463
PUSH
3 1 1.0777 (1.0777) C>S V3.1(91) Handshake

So 1.0777s between the connection being established and the initial TLS
Handshake message being sent, which points to an issue with curl and/or nss
initialization.

Corresponding curl output:

16:45:30.899345 * About to connect() to <server> port 443 (#0)
16:45:30.899548 * Trying <server ip>... connected
16:45:30.939619 * Connected to <server> (<server ip>) port 443 (#0)
16:45:30.939656 * Initializing NSS with certpath: sql:/etc/pki/nssdb
16:45:30.944097 * CAfile: /var/misc/cacert.crt
  CApath: none
16:45:31.987207 * NSS: client certificate from file
...

Note the ~1s incurred during the nss init phase, presumably related to
fetching the client cert file.

My questions to the group are:

1) Any pointers or suggestions for how I can further debug the NSS
initialization phase within the curl call?
2) I had a hunch the slowdown may be due to using a cert file as opposed to
importing the cert into the nssdb. I've imported the client cert into the
nssdb, but curl can not seem to find it when I specify --cert <nickname>.
 Why might this be?

$ sudo certutil -A -t "C,," -d sql:/etc/pki/nssdb/ -n clientCert -i
/var/temp/client.crt
Enter Password or Pin for "NSS Certificate DB":

$ sudo certutil -L -d sql:/etc/pki/nssdb/

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

clientCert C,,

$ curl --cert clientCert <everything else...>

...
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found: clientCert
* NSS error -12227
* Closing connection #0
curl: (35) NSS: client certificate not found: clientCert

Thanks!

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-12-12