cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Error "* Initializing NSS with certpath: sql:/etc/pki/nssdb"

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Thu, 25 Feb 2016 17:59:28 +0100

On Thursday 25 February 2016 11:12:20 cnm marketing wrote:
> Yes, we tried both with no luck -
>
> CURLOPT_SSLVERSION: CURL_SSLVERSION_DEFAULT, CURL_SSLVERSION_TLSv1,
> CURL_SSLVERSION_SSLv2
> and CURL_SSLVERSION_SSLv3
> CURLOPT_SSL_CIPHER_LIST: tried all the cipher returned from "openssl
> ciphers 'ALL:eNULL'"

The cipher-suite identifiers used by OpenSSL are incompatible with the
identifiers used by NSS. Please check which cipher-suite exactly is used
in the working case and try to look it up in the following table:

https://github.com/curl/curl/blob/64fa3b8d/lib/vtls/nss.c#L104

Is the server in question available anywhere for testing?

Kamil

> In addition, we are using the following nss-softokn-freebl
> [root]# rpm -qa |grep nss-softokn
> nss-softokn-3.14.3-10.el6_5.x86_64
> nss-softokn-freebl-3.14.3-3.el6_4.i686
> nss-softokn-freebl-3.14.3-3.el6_4.x86_64
>
> On Thu, Feb 25, 2016 at 10:00 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:
> > On Thursday 25 February 2016 09:15:37 cnm marketing wrote:
> > > Hi,
> > >
> > > We use two different ports to do libcurl operations on "CentOS release
> >
> > 6.6
> >
> > > (Final)".
> > >
> > > In an internal port A, with "CURLOPT_VERBOSE" on, we got this message "*
> > > Initializing NSS with certpath: sql:/etc/pki/nssdb" when using url
> > > "https://xxxx.aaa.com:portA", then program hangs. However, it works if
> >
> > we
> >
> > > change "https" to "http". In addition, we try "openssl s_client -cipher
> > > ...." to get cipher information via port A, it fails (timeout) for all
> >
> > the
> >
> > > cipher returned from "openssl ciphers 'ALL:eNULL' ....".
> > >
> > > In another port B, it works for both "https" and "http". When using
> >
> > openssl
> >
> > > to get cipher info. it also works fine.
> > >
> > >
> > > Thanks,
> > > cnm
> >
> > Have you tried to switch the SSL version and/or enabled cipher-suites?
> >
> > OpenSSL and NSS have different default configuration from each other.
> >
> > Please have a look at the following options:
> >
> > https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
> > https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
> >
> > Kamil
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-02-25

This message: [ Message body ]
Next message: Jules van der Toorn: "LibCurl IMAP C++ receive only subject of most recent mail?"
Previous message: Kamil Dudka: "Re: Error "* Initializing NSS with certpath: sql:/etc/pki/nssdb""
Maybe in reply to: cnm marketing: "Error "* Initializing NSS with certpath: sql:/etc/pki/nssdb""

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]