cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl & nss excessive initialization time

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Thu, 12 Dec 2013 20:20:13 +0100

On Thursday, December 12, 2013 10:57:46 Barry Beckham wrote:
> Hello,
>
> I'm currently trying to migrate from a RHEL5 -> RHEL6 box, which includes a
> switch from curl using openssl -> nss by default.
>
> I'm encountering a severe performance hit with curl + nss when attempting
> to hit a HTTPS endpoint that requires client cert authentication, to the
> tune of an additional ~1s in pre-transfer time.
>
> From debugging, this appears to be related to the nss initialization phase
> and reading the client cert that is sent to the server. I'm opening a
> ticket with the nss mailing list as well, but wanted to throw the issue out
> here as well in case anyone has insight.
>
> Versions:
> RHEL 6.4
> libcurl-7.19.7-37.el6_4.x86_64
> curl-7.19.7-37.el6_4.x86_64
> nss-3.14.3-4.el6_4.x86_64
>
> Example ssldump of problematic connection start:
>
> TCP: <client>(51588) -> <server>(443) Seq 230486183.(0) SYN
> TCP: <server>(443) -> <client>(51588) Seq 1803468462.(0) ACK 230486184
> SYN
> TCP: <client>(51588) -> <server>(443) Seq 230486184.(0) ACK 1803468463
> New TCP connection #3: <client>(51588) <-> <server>(443)
> TCP: <client>(51588) -> <server>(443) Seq 230486184.(96) ACK 1803468463
> PUSH
> 3 1 1.0777 (1.0777) C>S V3.1(91) Handshake
>
> So 1.0777s between the connection being established and the initial TLS
> Handshake message being sent, which points to an issue with curl and/or nss
> initialization.
>
> Corresponding curl output:
>
> 16:45:30.899345 * About to connect() to <server> port 443 (#0)
> 16:45:30.899548 * Trying <server ip>... connected
> 16:45:30.939619 * Connected to <server> (<server ip>) port 443 (#0)
> 16:45:30.939656 * Initializing NSS with certpath: sql:/etc/pki/nssdb
> 16:45:30.944097 * CAfile: /var/misc/cacert.crt
> CApath: none
> 16:45:31.987207 * NSS: client certificate from file
> ...
>
> Note the ~1s incurred during the nss init phase, presumably related to
> fetching the client cert file.
>
> My questions to the group are:
>
> 1) Any pointers or suggestions for how I can further debug the NSS
> initialization phase within the curl call?

There is a hard-wired sleep for one second in the code that loads client certs:

https://git.fedorahosted.org/cgit/nss-pem.git/tree/mozilla/security/nss/lib/ckfw/pem/pobject.c#n1203

> 2) I had a hunch the slowdown may be due to using a cert file as opposed to
> importing the cert into the nssdb. I've imported the client cert into the
> nssdb, but curl can not seem to find it when I specify --cert <nickname>.
> Why might this be?
>
> $ sudo certutil -A -t "C,," -d sql:/etc/pki/nssdb/ -n clientCert -i
> /var/temp/client.crt
> Enter Password or Pin for "NSS Certificate DB":
>
> $ sudo certutil -L -d sql:/etc/pki/nssdb/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> clientCert C,,
>
> $ curl --cert clientCert <everything else...>
>
> ...
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * NSS: client certificate not found: clientCert
> * NSS error -12227
> * Closing connection #0
> curl: (35) NSS: client certificate not found: clientCert

You cannot import a client cert by certutil. You need to use pk12util:

$ openssl pkcs12 -export -in /var/temp/client.crt -out client.p12 -name clientCert
$ pk12util -i client.p12 -d sql:/etc/pki/nssdb

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-12-12