On Sat, 29 Nov 2008, George Sherwood wrote:

> I have been maintaining curl and nss for our distro and I was wondering if
> there is any advantage to building curl against NSS. Currently we don't
> even have that as an option.

As far as I understand it, and I can't say I've actually tried to understand
all the aspects of this, NSS has a FIPS certification in a way none of the
other SSL libs do, and some US governments or something requires software to
be FIPS certificied to be considered. See this:

         http://fedoraproject.org/wiki/FedoraCryptoConsolidation

> Also is it proper to build curl against gnutls and openssl and libssh2
> or should it only be one of these three or nss?

NSS is a SSL library libcurl can use instead of OpenSSL or GnuTLS. libcurl can
only be built to use one of these in a single build

libssh2 is a separate thing since it provides SSH. Although libssh2 in itself
can be built to use either OpenSSL or libgcrypt for the crypto layer.

> I finally got midori/webkit working with https site by adding
> ca-certificates and building curl against openssl with the options:
>
> --with-ssl=/usr --without-ca-bundle --with-ca-path=/etc/ssl/certs
>
> I was just wondering if I am doing things correctly.

How is this related to the NSS question?

(lib)curl no longer provides a ca cert bundle of its own so if you want your
libcurl installation to have a default ca cert bundle you need to make sure
configure finds a suitable one.

I don't know what "midori/webkit" is so I can't comment on its specific
situation.

-- 
  / daniel.haxx.se