cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: How to use curl with nss supported?

From: Philip Prindeville <philipp_subx_at_redfish-solutions.com>
Date: Fri, 10 Dec 2010 12:47:18 -0800

Our spam filters keep getting false positives from email to an english-language mailing list being sent in esoteric Han character encodings like Giao Bao.

Can you please post in UTF8 or ISO-8859-1?

Thanks.

On 12/9/10 9:40 PM, 张绪峰 wrote:
> Hi Kamil,
>
> I think the root cause of my problem maybe there is not a valid certificate in my system,
> I find there is an configure option "--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
> in curl.spec, but I can't find ca-bundle.crt file in my system.
>
> Thanks,
> Xufeng Zhang
>
> At 2010-12-09 18:46:11,"Kamil Dudka"<kdudka_at_redhat.com> wrote:
>
> >On Thursday 09 December 2010 11:04:40 张绪峰 wrote:
> >> I'm not sure about how to use curl with nss support.
> >
> >The natural way for NSS is to go through NSS database. You can specify its
> >path by the environment variable SSL_DIR. You need to load your certificates
> >into NSS database using certutil. Another way is to load PEM
> >certificates/keys directly by curl. It, however, requires you to have a PEM
> >reader PKCS11 module, which has not been accepted by NSS upstream yet:
> >
> >https://bugzilla.mozilla.org/show_bug.cgi?id=402712
> >
> >> >What are the problems?
> >>
> >> Can't access https:// through CA.
> >>
> >> >> Version
> >> >> --------------
> >> >> $ curl -V
> >> >> curl 7.20.0 (i686-target-linux-gnu) libcurl/7.20.0 NSS/3.12.4.5
> >> >> zlib/1.2.5 libidn/0.6.5 Protocols: dict file ftp ftps http https imap
> >> >> imaps pop3 pop3s rtsp smtp smtps telnet tftp Features: IDN IPv6
> >> >> Largefile SSL libz
> >> >
> >> >What distribution are you using? Are the packages provided by your
> >> > distro?
> >>
> >> $ uname -a
> >> Linux localhost 2.6.34.7 #1 PREEMPT Mon Dec 6 19:39:02 CST 2010 i686
> >> i686 i386 GNU/Linux
> >
> >It does not say much about the distribution. But it is likely not Fedora
> >nor RHEL, which means you probably don't have the PEM reader installed on
> >your system by default.
> >
> >> curl+nss is base on cross-compiling building.
> >>
> >> >> NSS database is in '/etc/pki/nssdb' directory.
> >> >> When I run certutil, the output is:
> >> >> $ certutil -L -d /etc/pki/nssdb/
> >> >> Certificate Nickname Trust
> >> >> Attributes SSL,S/MIME,JAR/XPI I don't know why there is no nickname
> >> >> output.
> >> >
> >> >If you have working Firefox, you can try to point curl to its database by
> >> >setting $SSL_DIR.
> >>
> >> Firefox is not installed.
> >> If I have set $SSL_DIR, then how to use it?
> >> $ curl -E -X GET https://bugzilla.redhat.com ?
> >> can't woks.
> >
> >export SSL_DIR=/path/to/your/database
> >
> >> >> I also find there is a Makefile in '/usr/lib/ssl/certs' directory, which
> >> >> can be used to generate PEM format CA. So I run 'make cacert.pem' and it
> >> >> is created.
> >> >> Lastly when I using curl with this CA:
> >> >> $ curl --cacert ./cacert.pem -X GET https://bugzilla.redhat.com
> >> >> Segmentation fault
> >> >
> >> >If you are able to repeat the crash with the latest curl/nss, please
> >> > attach the certificate that causes the crash. What does the following
> >> > command say?
> >> >
> >> >$ openssl x509 -in ./cacert.pem -noout -text
> >>
> >> If use as below, then there is no crash:
> >> $ curl --cert ./cacert.pem -X GET https://bugzilla.redhat.com
> >> curl: (77) Problem with the SSL CA cert (path? access rights?)
> >
> >You can't supply CA as client certificate. I'll try to reproduce the crash
> >myself. Please give me some steps to reproduce.
> >
> >Kamil
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-12-10