cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl, libnss and PEM certificates

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 24 Feb 2014 08:01:52 +0100

On Saturday, February 22, 2014 15:08:24 Alessandro Ghedini wrote:
> Hi all,
>
> I've been looking into ways to fix the no-PEM-certficates-with-libnss in
> Debian.
>
> The first solution that I tried was to use the libnsspem.so thingy from Red
> Hat [0], and it works I guess, but the problem is that it needs to be built
> as part of the libnss package, so it's a no-go for now.
>
> [0] https://git.fedorahosted.org/git/nss-pem.git

nss-pem is going to be included into the upstream distribution of nss.
Kai Engert is currently working on this.

> The other solution I tried was to use the p11-kit-trust.so module from the
> p11-kit project [0], which is already packaged for Debian. According to its
> documentation it should be a normal PKCS#11 module and a drop-in replacement
> for libnssckbi.so (whatever that means), so I simply replaced
> "libnsspem.so" with the path to it in libcurl sources to make libcurl use
> it.
>
> [0] http://p11-glue.freedesktop.org/
>
> The problem with the latter method is that, while libcurl loads the module
> correctly, it still doesn't work (that is, TLS connections fail because
> libcurl/libnss can't find a proper certificate):
>
> $ src/curl -v https://www.google.com
> [...]
> * Initializing NSS with certpath: none
> * Closing connection 0
> * The cache now contains 0 members
> * Expire cleared
> curl: (77) Problem with the SSL CA cert (path? access rights?)
>
> So, is there anyone who knows how to make it work (myself being quite
> ignorant regarding libnss)? Alternative solutions are welcome as well.
>
> The whole point of this would be to have the libcurl nss flavour in Debian
> being actually useful "by default" (which means being able to use the
> default Debian CA certificates that are in PEM format), due to the recent
> GnuTLS license problems [0]. Which means that I'm also interested in
> hearing opinions on OpenSSL vs GnuTLS vs NSS (is [1] up-to-date?) and also
> about having the nss flavour to be the default/only available version in
> Debian (I see that Red Hat has done the same thing, how did it go?).
>
> [0] https://lists.debian.org/debian-devel/2013/12/msg00329.html
> [1] http://curl.haxx.se/docs/ssl-compared.html
>
> Cheers

I am adding nss-pem-devel to CC. It is probably a more appropriate channel
for this discussion.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-24