curl-library
Re: Curl and NSS
Date: Sat, 29 Nov 2008 16:58:48 -0600
On Sat, 29 Nov 2008 22:13:17 +0100 (CET)
Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Sat, 29 Nov 2008, George Sherwood wrote:
>
> > I have been maintaining curl and nss for our distro and I was
> > wondering if there is any advantage to building curl against NSS.
> > Currently we don't even have that as an option.
>
> As far as I understand it, and I can't say I've actually tried to
> understand all the aspects of this, NSS has a FIPS certification in a
> way none of the other SSL libs do, and some US governments or
> something requires software to be FIPS certificied to be considered.
> See this:
>
> http://fedoraproject.org/wiki/FedoraCryptoConsolidation
>
> > Also is it proper to build curl against gnutls and openssl and
> > libssh2 or should it only be one of these three or nss?
>
> NSS is a SSL library libcurl can use instead of OpenSSL or GnuTLS.
> libcurl can only be built to use one of these in a single build
Got it. I need to modify our build so that the user will only use one
of these three. Unfortunately currently the configure is failing to
find pkg-config, I believe so it is executing the else portion kludge
defaults and failing. If I remove the if test -n "$check"; then
everything work fine.
if test X"$OPT_NSS" != Xno; then
if test "x$OPT_NSS" = "xyes"; then
check=`pkg-config --version 2>/dev/null`
if test -n "$check"; then
addlib=`pkg-config --libs nss`
addcflags=`pkg-config --cflags nss`
version=`pkg-config --modversion nss`
nssprefix=`pkg-config --variable=prefix nss`
fi
else
# Without pkg-config, we'll kludge in some defaults
addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread
-ldl" addcflags="-I$OPT_NSS/include"
version="unknown"
gtlsprefix=$OPT_GNUTLS
fi
>
> > I finally got midori/webkit working with https site by adding
> > ca-certificates and building curl against openssl with the options:
> >
> > --with-ssl=/usr --without-ca-bundle --with-ca-path=/etc/ssl/certs
> >
> > I was just wondering if I am doing things correctly.
>
> How is this related to the NSS question?
Related in that I only have the midori browser working on https sites
using curl built against openssl. I believe it should work with curl
built against either GnuTLS or NSS. Webkit uses curl as its http
backend.
>
> (lib)curl no longer provides a ca cert bundle of its own so if you
> want your libcurl installation to have a default ca cert bundle you
> need to make sure configure finds a suitable one.
I seem to have this working at least with OpenSSL.
George
-- George Sherwood Source Mage GNU/Linux Lead Developer http://www.sourcemage.org
- application/pgp-signature attachment: signature.asc