cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: some more NSS questions ...

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 8 Sep 2009 15:09:21 +0200

Gün, please CC the mailing list on reply.

On Tue September 8 2009 14:19:58 Guenter wrote:
> Kamil Dudka schrieb:
> > 1) You are trying to lock one mutex twice!
>
> argh! Yeah, now I see - was probably too late when I hacked it :)
> once I only commented the second lock it worked!

Yes, 4:11 AM could be late to hack something ;-)

> >> first its crazy enough that the NSS cert dir delivered by my OpenSuSE
> >> 11.1 distro looks liek that:
> >> # l /etc/pki/nssdb/
> >> total 28
> >> drwxr-xr-x 2 root root 128 19. Aug 01:18 ./
> >> drwxr-xr-x 3 root root 72 19. Aug 01:18 ../
> >> -rw-r--r-- 1 root root 9216 19. Aug 01:18 cert9.db
> >> -rw-r--r-- 1 root root 9216 19. Aug 01:18 key4.db
> >> -rw-r--r-- 1 root root 412 19. Aug 01:18 pkcs11.txt
> >> so (lib)curl must fail since it inits with a file secmod.db which is
> >> clearly missing here ...
> >
> > I am not sure with the file names. Are you able to access the database
> > with certutil?
>
> nope:
> # certutil -d /etc/pki/nssdb -L
> certutil: function failed: security library: bad database.

It looks like an openSUSE deviation to me. Not sure how the situation is with
other distributions.

Michal, any idea how the system-wide NSS database is supposed to work on
openSUSE?

> >> # l /usr/i686-pc-mingw32/sys-root/mingw/etc/pki/nssdb
> >> total 96
> >> drwxr-xr-x 2 root root 128 Aug 30 21:50 ./
> >> drwxr-xr-x 5 root root 120 Aug 28 02:51 ../
> >> -rw-r--r-- 1 root root 65536 Aug 27 23:31 cert8.db
> >> -rw-r--r-- 1 root root 16384 Aug 27 23:31 key3.db
> >> -rw-r--r-- 1 root root 16384 Aug 27 23:31 secmod.db
>
> these I can access with certutil, however they seem to be empty:
> # certutil -d /usr/i686-pc-mingw32/sys-root/mingw/etc/pki/nssdb -L
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> If I try with those from Firefox I get the usual CAs listed including my
> own added.

You can try to load them manually:
https://bugzilla.redhat.com/show_bug.cgi?id=266021#c3

> > The list of NSS/SSL error codes is here:
> > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
>
> this, and the NSPR error list leaded me finally to the Win32 prob: there
> were a couple of other DLLs missing, f.e. soft*.dll and sqlite*.dll !
> Now since I had all DLLs in the same dir my test as well as curl started
> to work! Find here the new archive:
> http://www.gknw.net/mirror/curl/win32/curl-7.19.6-nss-ssh2-idn-zlib-static-
>bin-w32.7z I've also included a setssldir.bat file which you can call from a
> cmd box inside the extracted folder - then it sets the SSL_DIR var, and
> tries to access a SSL test page, and that works for me with -k insecure
> mode; however if I try without -k then curl segfaults.

Any chance to locate the crash? (with something like debuginfo and/or
debugger)

> I've tried to re-create this issue with curl on Linux with these empty
> db files, but there I get the expected error back:
> curl: (60) Peer certificate cannot be authenticated with known CA
> certificates
>
> Anyway, now very close to have a useful Win32 curl NSS build ... :)

Great!

Kamil
Received on 2009-09-08