curl-library
Re:Re: How to use curl with nss supported?
Date: Fri, 10 Dec 2010 09:55:48 +0800 (CST)
At 2010-12-09 18:46:11,"Kamil Dudka" <kdudka_at_redhat.com> wrote:
>On Thursday 09 December 2010 11:04:40 张绪峰 wrote:
>> I'm not sure about how to use curl with nss support.
>
>The natural way for NSS is to go through NSS database. You can specify its
>path by the environment variable SSL_DIR. You need to load your certificates
>into NSS database using certutil. Another way is to load PEM
>certificates/keys directly by curl. It, however, requires you to have a PEM
>reader PKCS11 module, which has not been accepted by NSS upstream yet:
>
>https://bugzilla.mozilla.org/show_bug.cgi?id=402712
>
>> >What are the problems?
>>
>> Can't access https:// through CA.
>>
>> >> Version
>> >> --------------
>> >> $ curl -V
>> >> curl 7.20.0 (i686-target-linux-gnu) libcurl/7.20.0 NSS/3.12.4.5
>> >> zlib/1.2.5 libidn/0.6.5 Protocols: dict file ftp ftps http https imap
>> >> imaps pop3 pop3s rtsp smtp smtps telnet tftp Features: IDN IPv6
>> >> Largefile SSL libz
>> >
>> >What distribution are you using? Are the packages provided by your
>> > distro?
>>
>> $ uname -a
>> Linux localhost 2.6.34.7 #1 PREEMPT Mon Dec 6 19:39:02 CST 2010 i686
>> i686 i386 GNU/Linux
>
>It does not say much about the distribution. But it is likely not Fedora
>nor RHEL, which means you probably don't have the PEM reader installed on
>your system by default.
>
>> curl+nss is base on cross-compiling building.
>>
>> >> NSS database is in '/etc/pki/nssdb' directory.
>> >> When I run certutil, the output is:
>> >> $ certutil -L -d /etc/pki/nssdb/
>> >> Certificate Nickname Trust
>> >> Attributes SSL,S/MIME,JAR/XPI I don't know why there is no nickname
>> >> output.
>> >
>> >If you have working Firefox, you can try to point curl to its database by
>> >setting $SSL_DIR.
>>
>> Firefox is not installed.
>> If I have set $SSL_DIR, then how to use it?
>> $ curl -E -X GET https://bugzilla.redhat.com ?
>> can't woks.
>
>export SSL_DIR=/path/to/your/database
>
>> >> I also find there is a Makefile in '/usr/lib/ssl/certs' directory, which
>> >> can be used to generate PEM format CA. So I run 'make cacert.pem' and it
>> >> is created.
>> >> Lastly when I using curl with this CA:
>> >> $ curl --cacert ./cacert.pem -X GET https://bugzilla.redhat.com
>> >> Segmentation fault
>> >
>> >If you are able to repeat the crash with the latest curl/nss, please
>> > attach the certificate that causes the crash. What does the following
>> > command say?
>> >
>> >$ openssl x509 -in ./cacert.pem -noout -text
>>
>> If use as below, then there is no crash:
>> $ curl --cert ./cacert.pem -X GET https://bugzilla.redhat.com
>> curl: (77) Problem with the SSL CA cert (path? access rights?)
>
>You can't supply CA as client certificate. I'll try to reproduce the crash
>myself. Please give me some steps to reproduce.
Oh, I know why I can't reproduce the crash now, I have changed PEM file
from "-----BEGIN PRIVATE KEY-----" to "-----BEGIN RSA PRIVATE KEY-----".
Use this cacert.pem file, you can reproduce the crash by running:
$ curl --cacert /the/path/to/cacert.pem https://bugzilla.redhat.com
Segmentation fault
Thanks,
Xufeng Zhang
>
>Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/octet-stream attachment: cacert.pem