cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Error "* Initializing NSS with certpath: sql:/etc/pki/nssdb"

From: cnm marketing <cnn.marketing_at_gmail.com>
Date: Fri, 26 Feb 2016 12:43:53 -0500

>>> But that is not the command I suggested you to use, is it?
Well, yes, you command is "openssl s_client", would you mind give me full
command to list all the cipher-suite for NSS.

On Fri, Feb 26, 2016 at 11:37 AM, cnm marketing <cnn.marketing_at_gmail.com>
wrote:

> >>> But that is not the command I suggested you to use, is it?
> Well, yes, you command is "openssl s_client", would you mind give me full
> command to list all the cipher-suite for NSS.
>
> On Fri, Feb 26, 2016 at 9:52 AM, cnm marketing <cnn.marketing_at_gmail.com>
> wrote:
>
>> >>> But that is not the command I suggested you to use, is it?
>> Well, yes, you command is "openssl s_client", would you mind give me
>> full command to list all the NSS.
>>
>> On Fri, Feb 26, 2016 at 9:37 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:
>>
>>> On Friday 26 February 2016 09:29:12 cnm marketing wrote:
>>> > The result of cipher-suite that I got from the server as following and
>>> none
>>> > of them shows up in the table -
>>> >
>>> > command used to get cipher-suite on the server: openssl ciphers
>>> 'ALL:eNULL'
>>>
>>> But that is not the command I suggested you to use, is it?
>>>
>>> It is not clear to me how such a list will help you to debug the issue.
>>>
>>> Kamil
>>>
>>> > {"ECDHE-RSA-AES256-GCM-SHA384",
>>> > "ECDHE-ECDSA-AES256-GCM-SHA384",
>>> > "ECDHE-RSA-AES256-SHA384",
>>> > "ECDHE-ECDSA-AES256-SHA384",
>>> > "ECDHE-RSA-AES256-SHA",
>>> > "ECDHE-ECDSA-AES256-SHA",
>>> > "DHE-DSS-AES256-GCM-SHA384",
>>> > "DHE-RSA-AES256-GCM-SHA384",
>>> > "DHE-RSA-AES256-SHA256",
>>> > "DHE-DSS-AES256-SHA256",
>>> > "DHE-RSA-AES256-SHA",
>>> > "DHE-DSS-AES256-SHA",
>>> > "DHE-RSA-CAMELLIA256-SHA",
>>> > "DHE-DSS-CAMELLIA256-SHA",
>>> > "AECDH-AES256-SHA",
>>> > "ADH-AES256-GCM-SHA384",
>>> > "ADH-AES256-SHA256",
>>> > "ADH-AES256-SHA",
>>> > "ADH-CAMELLIA256-SHA",
>>> > "ECDH-RSA-AES256-GCM-SHA384",
>>> > "ECDH-ECDSA-AES256-GCM-SHA384",
>>> > "ECDH-RSA-AES256-SHA384",
>>> > "ECDH-ECDSA-AES256-SHA384",
>>> > "ECDH-RSA-AES256-SHA",
>>> > "ECDH-ECDSA-AES256-SHA",
>>> > "AES256-GCM-SHA384",
>>> > "AES256-SHA256",
>>> > "AES256-SHA",
>>> > "CAMELLIA256-SHA",
>>> > "PSK-AES256-CBC-SHA",
>>> > "ECDHE-RSA-AES128-GCM-SHA256",
>>> > "ECDHE-ECDSA-AES128-GCM-SHA256",
>>> > "ECDHE-RSA-AES128-SHA256",
>>> > "ECDHE-ECDSA-AES128-SHA256",
>>> > "ECDHE-RSA-AES128-SHA",
>>> > "ECDHE-ECDSA-AES128-SHA",
>>> > "DHE-DSS-AES128-GCM-SHA256",
>>> > "DHE-RSA-AES128-GCM-SHA256",
>>> > "DHE-RSA-AES128-SHA256",
>>> > "DHE-DSS-AES128-SHA256",
>>> > "DHE-RSA-AES128-SHA",
>>> > "DHE-DSS-AES128-SHA",
>>> > "ECDHE-RSA-DES-CBC3-SHA",
>>> > "ECDHE-ECDSA-DES-CBC3-SHA",
>>> > "DHE-RSA-SEED-SHA",
>>> > "DHE-DSS-SEED-SHA",
>>> > "DHE-RSA-CAMELLIA128-SHA",
>>> > "DHE-DSS-CAMELLIA128-SHA",
>>> > "EDH-RSA-DES-CBC3-SHA",
>>> > "EDH-DSS-DES-CBC3-SHA",
>>> > "AECDH-AES128-SHA",
>>> > "ADH-AES128-GCM-SHA256",
>>> > "ADH-AES128-SHA256",
>>> > "ADH-AES128-SHA",
>>> > "AECDH-DES-CBC3-SHA",
>>> > "ADH-SEED-SHA",
>>> > "ADH-CAMELLIA128-SHA",
>>> > "ADH-DES-CBC3-SHA",
>>> > "ECDH-RSA-AES128-GCM-SHA256",
>>> > "ECDH-ECDSA-AES128-GCM-SHA256",
>>> > "ECDH-RSA-AES128-SHA256",
>>> > "ECDH-ECDSA-AES128-SHA256",
>>> > "ECDH-RSA-AES128-SHA",
>>> > "ECDH-ECDSA-AES128-SHA",
>>> > "ECDH-RSA-DES-CBC3-SHA",
>>> > "ECDH-ECDSA-DES-CBC3-SHA",
>>> > "AES128-GCM-SHA256",
>>> > "AES128-SHA256",
>>> > "AES128-SHA",
>>> > "SEED-SHA",
>>> > "CAMELLIA128-SHA",
>>> > "DES-CBC3-SHA",
>>> > "IDEA-CBC-SHA",
>>> > "DES-CBC3-MD5",
>>> > "IDEA-CBC-MD5",
>>> > "RC2-CBC-MD5",
>>> > "PSK-AES128-CBC-SHA",
>>> > "PSK-3DES-EDE-CBC-SHA",
>>> > "KRB5-IDEA-CBC-SHA",
>>> > "KRB5-DES-CBC3-SHA",
>>> > "KRB5-IDEA-CBC-MD5",
>>> > "KRB5-DES-CBC3-MD5",
>>> > "ECDHE-RSA-RC4-SHA",
>>> > "ECDHE-ECDSA-RC4-SHA",
>>> > "AECDH-RC4-SHA",
>>> > "ADH-RC4-MD5",
>>> > "ECDH-RSA-RC4-SHA",
>>> > "ECDH-ECDSA-RC4-SHA",
>>> > "RC4-SHA",
>>> > "RC4-MD5",
>>> > "RC4-MD5",
>>> > "PSK-RC4-SHA",
>>> > "KRB5-RC4-SHA",
>>> > "KRB5-RC4-MD5",
>>> > "EDH-RSA-DES-CBC-SHA",
>>> > "EDH-DSS-DES-CBC-SHA",
>>> > "ADH-DES-CBC-SHA",
>>> > "DES-CBC-SHA",
>>> > "DES-CBC-MD5",
>>> > "KRB5-DES-CBC-SHA",
>>> > "KRB5-DES-CBC-MD5",
>>> > "EXP-EDH-RSA-DES-CBC-SHA",
>>> > "EXP-EDH-DSS-DES-CBC-SHA",
>>> > "EXP-ADH-DES-CBC-SHA",
>>> > "EXP-DES-CBC-SHA",
>>> > "EXP-RC2-CBC-MD5",
>>> > "EXP-RC2-CBC-MD5",
>>> > "EXP-KRB5-RC2-CBC-SHA",
>>> > "EXP-KRB5-DES-CBC-SHA",
>>> > "EXP-KRB5-RC2-CBC-MD5",
>>> > "EXP-KRB5-DES-CBC-MD5",
>>> > "EXP-ADH-RC4-MD5",
>>> > "EXP-RC4-MD5",
>>> > "EXP-RC4-MD5",
>>> > "EXP-KRB5-RC4-SHA",
>>> > "EXP-KRB5-RC4-MD5",
>>> > "ECDHE-RSA-NULL-SHA",
>>> > "ECDHE-ECDSA-NULL-SHA",
>>> > "AECDH-NULL-SHA",
>>> > "ECDH-RSA-NULL-SHA",
>>> > "ECDH-ECDSA-NULL-SHA",
>>> > "NULL-SHA256",
>>> > "NULL-SHA",
>>> > "NULL-MD5"}
>>> >
>>> > On Thu, Feb 25, 2016 at 3:41 PM, Kamil Dudka <kdudka_at_redhat.com>
>>> wrote:
>>> > > On Thursday, February 25, 2016 14:38:55 cnm marketing wrote:
>>> > > > Sorry, the server is inaccessible from outside.
>>> > > >
>>> > > > > Please check which cipher-suite exactly is used in the working
>>> case
>>> > > >
>>> > > > Not sure whether I got what you're saying, do you mean I need to
>>> obtains
>>> > > > the cipher-suite for NSS on that host. Do you know the command for
>>> > > > CentOS
>>> > > > for this?
>>> > >
>>> > > You can obtain the info using the command 'openssl s_client'.
>>> > >
>>> > > Kamil
>>> > >
>>> > > > Thanks,
>>> > > >
>>> > > > On Thu, Feb 25, 2016 at 11:59 AM, Kamil Dudka <kdudka_at_redhat.com>
>>> wrote:
>>> > > > > On Thursday 25 February 2016 11:12:20 cnm marketing wrote:
>>> > > > > > Yes, we tried both with no luck -
>>> > > > > >
>>> > > > > > CURLOPT_SSLVERSION: CURL_SSLVERSION_DEFAULT,
>>> CURL_SSLVERSION_TLSv1,
>>> > > > > > CURL_SSLVERSION_SSLv2
>>> > > > > > and CURL_SSLVERSION_SSLv3
>>> > > > > > CURLOPT_SSL_CIPHER_LIST: tried all the cipher returned from
>>> "openssl
>>> > > > > > ciphers 'ALL:eNULL'"
>>> > > > >
>>> > > > > The cipher-suite identifiers used by OpenSSL are incompatible
>>> with the
>>> > > > > identifiers used by NSS. Please check which cipher-suite
>>> exactly is
>>> > >
>>> > > used
>>> > >
>>> > > > > in the working case and try to look it up in the following table:
>>> > > > >
>>> > > > > https://github.com/curl/curl/blob/64fa3b8d/lib/vtls/nss.c#L104
>>> > > > >
>>> > > > > Is the server in question available anywhere for testing?
>>> > > > >
>>> > > > > Kamil
>>> > > > >
>>> > > > > > In addition, we are using the following nss-softokn-freebl
>>> > > > > > [root]# rpm -qa |grep nss-softokn
>>> > > > > > nss-softokn-3.14.3-10.el6_5.x86_64
>>> > > > > > nss-softokn-freebl-3.14.3-3.el6_4.i686
>>> > > > > > nss-softokn-freebl-3.14.3-3.el6_4.x86_64
>>> > > > > >
>>> > > > > > On Thu, Feb 25, 2016 at 10:00 AM, Kamil Dudka <
>>> kdudka_at_redhat.com>
>>> > >
>>> > > wrote:
>>> > > > > > > On Thursday 25 February 2016 09:15:37 cnm marketing wrote:
>>> > > > > > > > Hi,
>>> > > > > > > >
>>> > > > > > > > We use two different ports to do libcurl operations on
>>> "CentOS
>>> > > > >
>>> > > > > release
>>> > > > >
>>> > > > > > > 6.6
>>> > > > > > >
>>> > > > > > > > (Final)".
>>> > > > > > > >
>>> > > > > > > > In an internal port A, with "CURLOPT_VERBOSE" on, we got
>>> this
>>> > > > >
>>> > > > > message "*
>>> > > > >
>>> > > > > > > > Initializing NSS with certpath: sql:/etc/pki/nssdb" when
>>> using
>>> > >
>>> > > url
>>> > >
>>> > > > > > > > "https://xxxx.aaa.com:portA", then program hangs.
>>> However, it
>>> > >
>>> > > works
>>> > >
>>> > > > > if
>>> > > > >
>>> > > > > > > we
>>> > > > > > >
>>> > > > > > > > change "https" to "http". In addition, we try "openssl
>>> s_client
>>> > > > >
>>> > > > > -cipher
>>> > > > >
>>> > > > > > > > ...." to get cipher information via port A, it fails
>>> (timeout)
>>> > >
>>> > > for
>>> > >
>>> > > > > all
>>> > > > >
>>> > > > > > > the
>>> > > > > > >
>>> > > > > > > > cipher returned from "openssl ciphers 'ALL:eNULL' ....".
>>> > > > > > > >
>>> > > > > > > > In another port B, it works for both "https" and "http".
>>> When
>>> > >
>>> > > using
>>> > >
>>> > > > > > > openssl
>>> > > > > > >
>>> > > > > > > > to get cipher info. it also works fine.
>>> > > > > > > >
>>> > > > > > > >
>>> > > > > > > > Thanks,
>>> > > > > > > > cnm
>>> > > > > > >
>>> > > > > > > Have you tried to switch the SSL version and/or enabled
>>> > >
>>> > > cipher-suites?
>>> > >
>>> > > > > > > OpenSSL and NSS have different default configuration from
>>> each
>>> > >
>>> > > other.
>>> > >
>>> > > > > > > Please have a look at the following options:
>>> > > > > > >
>>> > > > > > > https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
>>> > > > > > > https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
>>> > > > > > >
>>> > > > > > > Kamil
>>>
>>>
>>
>

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-02-26