cURL / Mailing Lists / curl-library / Single Mail


Re: libcurl, libnss and PEM certificates

From: Kamil Dudka <>
Date: Mon, 24 Feb 2014 08:01:52 +0100

On Saturday, February 22, 2014 15:08:24 Alessandro Ghedini wrote:
> Hi all,
> I've been looking into ways to fix the no-PEM-certficates-with-libnss in
> Debian.
> The first solution that I tried was to use the thingy from Red
> Hat [0], and it works I guess, but the problem is that it needs to be built
> as part of the libnss package, so it's a no-go for now.
> [0]

nss-pem is going to be included into the upstream distribution of nss.
Kai Engert is currently working on this.

> The other solution I tried was to use the module from the
> p11-kit project [0], which is already packaged for Debian. According to its
> documentation it should be a normal PKCS#11 module and a drop-in replacement
> for (whatever that means), so I simply replaced
> "" with the path to it in libcurl sources to make libcurl use
> it.
> [0]
> The problem with the latter method is that, while libcurl loads the module
> correctly, it still doesn't work (that is, TLS connections fail because
> libcurl/libnss can't find a proper certificate):
> $ src/curl -v
> [...]
> * Initializing NSS with certpath: none
> * Closing connection 0
> * The cache now contains 0 members
> * Expire cleared
> curl: (77) Problem with the SSL CA cert (path? access rights?)
> So, is there anyone who knows how to make it work (myself being quite
> ignorant regarding libnss)? Alternative solutions are welcome as well.
> The whole point of this would be to have the libcurl nss flavour in Debian
> being actually useful "by default" (which means being able to use the
> default Debian CA certificates that are in PEM format), due to the recent
> GnuTLS license problems [0]. Which means that I'm also interested in
> hearing opinions on OpenSSL vs GnuTLS vs NSS (is [1] up-to-date?) and also
> about having the nss flavour to be the default/only available version in
> Debian (I see that Red Hat has done the same thing, how did it go?).
> [0]
> [1]
> Cheers

I am adding nss-pem-devel to CC. It is probably a more appropriate channel
for this discussion.

List admin:
Received on 2014-02-24