curl-library
Re:Re: How to use curl with nss supported?
Date: Fri, 10 Dec 2010 09:46:08 +0800 (CST)
Hi Kamil,
Thanks very much for your help.
At 2010-12-09 18:46:11,"Kamil Dudka" <kdudka_at_redhat.com> wrote:
>On Thursday 09 December 2010 11:04:40 张绪峰 wrote:
>> I'm not sure about how to use curl with nss support.
>
>The natural way for NSS is to go through NSS database. You can specify its
>path by the environment variable SSL_DIR. You need to load your certificates
>into NSS database using certutil. Another way is to load PEM
>certificates/keys directly by curl. It, however, requires you to have a PEM
>reader PKCS11 module, which has not been accepted by NSS upstream yet:
>
>https://bugzilla.mozilla.org/show_bug.cgi?id=402712
>
>> >What are the problems?
>>
>> Can't access https:// through CA.
>>
>> >> Version
>> >> --------------
>> >> $ curl -V
>> >> curl 7.20.0 (i686-target-linux-gnu) libcurl/7.20.0 NSS/3.12.4.5
>> >> zlib/1.2.5 libidn/0.6.5 Protocols: dict file ftp ftps http https imap
>> >> imaps pop3 pop3s rtsp smtp smtps telnet tftp Features: IDN IPv6
>> >> Largefile SSL libz
>> >
>> >What distribution are you using? Are the packages provided by your
>> > distro?
>>
>> $ uname -a
>> Linux localhost 2.6.34.7 #1 PREEMPT Mon Dec 6 19:39:02 CST 2010 i686
>> i686 i386 GNU/Linux
>
>It does not say much about the distribution. But it is likely not Fedora
>nor RHEL, which means you probably don't have the PEM reader installed on
>your system by default.
Yeah, there is no PEM reader in my system, I can find there is a pk12util.
>
>> curl+nss is base on cross-compiling building.
>>
>> >> NSS database is in '/etc/pki/nssdb' directory.
>> >> When I run certutil, the output is:
>> >> $ certutil -L -d /etc/pki/nssdb/
>> >> Certificate Nickname Trust
>> >> Attributes SSL,S/MIME,JAR/XPI I don't know why there is no nickname
>> >> output.
>> >
>> >If you have working Firefox, you can try to point curl to its database by
>> >setting $SSL_DIR.
>>
>> Firefox is not installed.
>> If I have set $SSL_DIR, then how to use it?
>> $ curl -E -X GET https://bugzilla.redhat.com ?
>> can't woks.
>
>export SSL_DIR=/path/to/your/database
But what about after? I also can't find my certificates.
1. $ certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
2. $ export SSL_DIR=/etc/pki/nssdb
3. ??
>
>> >> I also find there is a Makefile in '/usr/lib/ssl/certs' directory, which
>> >> can be used to generate PEM format CA. So I run 'make cacert.pem' and it
>> >> is created.
>> >> Lastly when I using curl with this CA:
>> >> $ curl --cacert ./cacert.pem -X GET https://bugzilla.redhat.com
>> >> Segmentation fault
>> >
>> >If you are able to repeat the crash with the latest curl/nss, please
>> > attach the certificate that causes the crash. What does the following
>> > command say?
>> >
>> >$ openssl x509 -in ./cacert.pem -noout -text
>>
>> If use as below, then there is no crash:
>> $ curl --cert ./cacert.pem -X GET https://bugzilla.redhat.com
>> curl: (77) Problem with the SSL CA cert (path? access rights?)
>
>You can't supply CA as client certificate. I'll try to reproduce the crash
>myself. Please give me some steps to reproduce.
cacert.pem and Makefile have been attached, I have renamed Makefile to Makefile.txt.
Sorry, I also can't reproduce the crash now, werid, this time when I run:
$ curl --cacert ./cacert.pem https://bugzilla.redhat.com
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Thanks,
Xufeng Zhang
>
>Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/octet-stream attachment: cacert.pem
- text/plain attachment: Makefile.txt