cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Curl with NSS and smart card

From: Petr Pisar <petr.pisar_at_atlas.cz>
Date: Tue, 6 Sep 2016 06:42:30 +0200

On Mon, Sep 05, 2016 at 06:06:54PM -0400, George Wash wrote:
> If my curl that came with Fedora23 was built with NSS crypto, does it need
> to be rebuilt with OpenSSL to use the OpenSSL engine features?
>
Yes.

> Any reliable guides out there for curl with OpenSSL and pkcs11 engine?
>
engine_pkcs11 was merged into p11-kit recently. And developmental OpenSSL
version is deemed to gain native support for PKCS11. I don't know status in
Fedora.

There was a howto for OpenSSL and engine_pkcs11 in
<https://github.com/OpenSC/engine_pkcs11/blob/132fcf2c8b319f9f4b2ebdc8dcb54ff496dc0519/README.md>.

Then Curl application needs to set CURLOPT_SSLENGINE option to the engine
identifier definied in the OpenSSL configuration file and set
CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE options to "ENG" value to use
certificate and private key from the engine instead of local files.
CURLOPT_SSLCERT and CURLOPT_SSLKEY options are then interpreted as certificate
and key identifiers inside the engine, not as a local file names. Similar
options are available for curl tool (see "curl -h |grep ENG").

I think there was an attempt to teach Curl to understand PKCS11 URIs, but
again I don't know if it is supported.

-- Petr

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2016-09-06