cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: How to use curl with nss supported?

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Thu, 9 Dec 2010 11:46:11 +0100

On Thursday 09 December 2010 11:04:40 张绪峰 wrote:
> I'm not sure about how to use curl with nss support.

The natural way for NSS is to go through NSS database. You can specify its
path by the environment variable SSL_DIR. You need to load your certificates
into NSS database using certutil. Another way is to load PEM
certificates/keys directly by curl. It, however, requires you to have a PEM
reader PKCS11 module, which has not been accepted by NSS upstream yet:

https://bugzilla.mozilla.org/show_bug.cgi?id=402712

> >What are the problems?
>
> Can't access https:// through CA.
>
> >> Version
> >> --------------
> >> $ curl -V
> >> curl 7.20.0 (i686-target-linux-gnu) libcurl/7.20.0 NSS/3.12.4.5
> >> zlib/1.2.5 libidn/0.6.5 Protocols: dict file ftp ftps http https imap
> >> imaps pop3 pop3s rtsp smtp smtps telnet tftp Features: IDN IPv6
> >> Largefile SSL libz
> >
> >What distribution are you using? Are the packages provided by your
> > distro?
>
> $ uname -a
> Linux localhost 2.6.34.7 #1 PREEMPT Mon Dec 6 19:39:02 CST 2010 i686
> i686 i386 GNU/Linux

It does not say much about the distribution. But it is likely not Fedora
nor RHEL, which means you probably don't have the PEM reader installed on
your system by default.

> curl+nss is base on cross-compiling building.
>
> >> NSS database is in '/etc/pki/nssdb' directory.
> >> When I run certutil, the output is:
> >> $ certutil -L -d /etc/pki/nssdb/
> >> Certificate Nickname Trust
> >> Attributes SSL,S/MIME,JAR/XPI I don't know why there is no nickname
> >> output.
> >
> >If you have working Firefox, you can try to point curl to its database by
> >setting $SSL_DIR.
>
> Firefox is not installed.
> If I have set $SSL_DIR, then how to use it?
> $ curl -E -X GET https://bugzilla.redhat.com ?
> can't woks.

export SSL_DIR=/path/to/your/database

> >> I also find there is a Makefile in '/usr/lib/ssl/certs' directory, which
> >> can be used to generate PEM format CA. So I run 'make cacert.pem' and it
> >> is created.
> >> Lastly when I using curl with this CA:
> >> $ curl --cacert ./cacert.pem -X GET https://bugzilla.redhat.com
> >> Segmentation fault
> >
> >If you are able to repeat the crash with the latest curl/nss, please
> > attach the certificate that causes the crash. What does the following
> > command say?
> >
> >$ openssl x509 -in ./cacert.pem -noout -text
>
> If use as below, then there is no crash:
> $ curl --cert ./cacert.pem -X GET https://bugzilla.redhat.com
> curl: (77) Problem with the SSL CA cert (path? access rights?)

You can't supply CA as client certificate. I'll try to reproduce the crash
myself. Please give me some steps to reproduce.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-12-09