cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: NSS, CURLOPT_CAINFO, and using the NSS CAs

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 28 Jul 2014 16:24:23 +0200

On Thursday, July 24, 2014 17:18:25 David Shaw wrote:
> Hello,
>
> A good while back I had some code that needed to use the NSS CAs only (and
> not the PEM ca-bundle file). I did this by symlinking libnssckbi.so into
> my nssdb (so NSS would have the CA certs),

I am not sure how this is supposed to work. Is it documented anywhere?

> and passing NULL for
> CURLOPT_CAINFO (so the PEM file wouldn't be loaded). This worked fine on
> libcurl 7.21.0 and NSS 3.12.10.
>
> I'm trying to update this code to run on a more up to date system (RHEL7,
> which has libcurl 7.29.0 and NSS 3.15.4), but passing NULL for
> CURLOPT_CAINFO does not seem to work any longer.

I believe that the libcurl part still works. If you pass NULL as
CURLOPT_CAINFO, it does not load CA certificates from file.

> The NSS part seems
> correct, and "certutil -d /etc/pki/nssdb -L -h all" does in fact list all
> of the CAs. However, this sample program does not work:
>
> #include <curl/curl.h>
>
> int main(int argc, char *argv[])
> {
> CURL *hnd;
>
> hnd = curl_easy_init();
> curl_easy_setopt(hnd, CURLOPT_URL, "https://www.google.com");
> curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
> curl_easy_setopt(hnd, CURLOPT_CAINFO, NULL);
>
> curl_easy_perform(hnd);
>
> curl_easy_cleanup(hnd);
>
> return 0;
> }
>
> The error given is:
>
> * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
> * Peer's Certificate issuer is not recognized.
>
> This sample program does work on the older libcurl and NSS.
>
> Any thoughts? Again, the intent here is to use the NSS CAs and ignore the
> ca-bundle.crt file.
>
> David

I was able to connect using your example on RHEL-7 if I imported the CA
certificate into the NSS certificate database:

$ mkdir /tmp/nssdb
$ certutil -d /tmp/nssdb -N
$ certutil -d /tmp/nssdb -A -i /tmp/GeoTrustGlobalCA -t C,, -n GeoTrustGlobalCA
$ gcc -lcurl xxx.c
$ SSL_DIR=/tmp/nssdb ./a.out
* About to connect() to www.google.com port 443 (#0)
* Trying 2a00:1450:4009:809::1013...
* Network is unreachable
* Trying 173.194.41.179...
* Connected to www.google.com (173.194.41.179) port 443 (#0)
* Initializing NSS with certpath: sql:/tmp/nssdb
* CAfile: none
  CApath: none
* SSL connection using TLS_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
* start date: Jul 16 12:14:11 2014 GMT
* expire date: Oct 14 00:00:00 2014 GMT
* common name: www.google.com
* issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
> GET / HTTP/1.1
Host: www.google.com
Accept: */*

< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Location: https://www.google.cz/?gfe_rd=cr&ei=B1zWU9O0G7DY8geO0YGgBQ
< Content-Length: 259
< Date: Mon, 28 Jul 2014 14:19:51 GMT
< Server: GFE/2.0
< Alternate-Protocol: 443:quic
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.cz/?gfe_rd=cr&amp;ei=B1zWU9O0G7DY8geO0YGgBQ">here</A>.
</BODY></HTML>
* Connection #0 to host www.google.com left intact
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-28