cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Curl and NSS

From: George Sherwood <pilot_at_beernabeer.com>
Date: Sat, 29 Nov 2008 16:58:48 -0600

On Sat, 29 Nov 2008 22:13:17 +0100 (CET)
Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Sat, 29 Nov 2008, George Sherwood wrote:
>
> > I have been maintaining curl and nss for our distro and I was
> > wondering if there is any advantage to building curl against NSS.
> > Currently we don't even have that as an option.
>
> As far as I understand it, and I can't say I've actually tried to
> understand all the aspects of this, NSS has a FIPS certification in a
> way none of the other SSL libs do, and some US governments or
> something requires software to be FIPS certificied to be considered.
> See this:
>
> http://fedoraproject.org/wiki/FedoraCryptoConsolidation
>
> > Also is it proper to build curl against gnutls and openssl and
> > libssh2 or should it only be one of these three or nss?
>
> NSS is a SSL library libcurl can use instead of OpenSSL or GnuTLS.
> libcurl can only be built to use one of these in a single build

Got it. I need to modify our build so that the user will only use one
of these three. Unfortunately currently the configure is failing to
find pkg-config, I believe so it is executing the else portion kludge
defaults and failing. If I remove the if test -n "$check"; then
everything work fine.

  if test X"$OPT_NSS" != Xno; then
    if test "x$OPT_NSS" = "xyes"; then
     check=`pkg-config --version 2>/dev/null`
     if test -n "$check"; then
       addlib=`pkg-config --libs nss`
       addcflags=`pkg-config --cflags nss`
       version=`pkg-config --modversion nss`
       nssprefix=`pkg-config --variable=prefix nss`
     fi
    else
      # Without pkg-config, we'll kludge in some defaults
      addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread
  -ldl" addcflags="-I$OPT_NSS/include"
      version="unknown"
      gtlsprefix=$OPT_GNUTLS
    fi

>
> > I finally got midori/webkit working with https site by adding
> > ca-certificates and building curl against openssl with the options:
> >
> > --with-ssl=/usr --without-ca-bundle --with-ca-path=/etc/ssl/certs
> >
> > I was just wondering if I am doing things correctly.
>
> How is this related to the NSS question?

Related in that I only have the midori browser working on https sites
using curl built against openssl. I believe it should work with curl
built against either GnuTLS or NSS. Webkit uses curl as its http
backend.

>
> (lib)curl no longer provides a ca cert bundle of its own so if you
> want your libcurl installation to have a default ca cert bundle you
> need to make sure configure finds a suitable one.

I seem to have this working at least with OpenSSL.

George

-- 
George Sherwood
Source Mage GNU/Linux Lead Developer
http://www.sourcemage.org

application/pgp-signature attachment: signature.asc

Received on 2008-11-30

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Curl and NSS"
Previous message: Daniel Stenberg: "Re: Curl and NSS"
In reply to: Daniel Stenberg: "Re: Curl and NSS"
Next in thread: Daniel Stenberg: "Re: Curl and NSS"
Reply: Daniel Stenberg: "Re: Curl and NSS"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]