cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl gives CURLE_SSL_CACERT_BADFILE with nss on curl_easy_perfom()

From: Oliver Graute <oliver.graute_at_gmail.com>
Date: Fri, 22 Apr 2016 11:24:07 +0200

On 07/04/16, Oliver Graute wrote:
> Hello list,
>
> i'am using libcurl/7.44.0 with NSS/3.21i. If I call a curl_easy_perfom()
> in my httpclient it returns CURLE_SSL_CACERT_BADFILE.
>
> the same nss key database is working fine together with apache2 (tls with
> mod_nss). So I assume path and access rights are fine for libcurl to.
>
> some clue whats wrong here?
>
> my SSL Specific settings are this one:
>
> CURLOPT_URL - "https://127.0.0.1/test.php" : Target URL on same machine for testing
> CURLOPT_POST - 1
> CURLOPT_TIMEOUT - 300
> CURLOPT_READDATA - FILE* pFile = fopen("/home/root/test.json")
> CURLOPT_INFILESIZE_LARGE- fstats.st_size
> CURLOPT_HTTPHEADER - some custom header stuff
>
>
> other settings which works even without ssl
>
> CURLOPT_KEYPASSWD - "foo" : Password to NSS-Database
> CURLOPT_SSLCERTTYPE - "P12" ("PEM" didn't work either)
> CURLOPT_SSLCERT - "client - foo" : Nickname of client cert within NSS Database
> CURLOPT_SSLKEYTYPE - "ENG" (Tried "DER" and "PEM" too ... (in combination with either P12 and PEM as CertType))
> CURLOPT_SSLKEY - "client - foo" : Nickname of client cert / priv key for cert within NSS Database (Nickname of Cert and PrivKey are identical)
> CURLOPT_CAPATH - "/etc/apache2/nss-conf/" : Path to NSS-Database (redundant? already set via put_env to $SSL_DIR)
> CURLOPT_CAINFO - "CA - foo" : Nickname of CA Cert within NSS Database
> CURLOPT_SSL_VERIFYPEER - 1
>
>
> Verbose output:
>
> * Trying 127.0.0.1...
>
> * Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
>
> * Initializing NSS with certpath: sql:/etc/apache2/nss-conf/
> * Closing connection 0
>
> Own output:
>
> curl_easy_perform: 77
> curl_easy_perfom returns CURLE_SSL_CACERT_BADFILE

finally we solved the issue, for the records:

When using a NSS Database you MUST NOT use options defining certificates/keys/etc - they will overwrite what is set within the database.
Using CURL with NSS and a NSS Database:
 - Set EnvVar $SSL_DIR to the Path of the Database
 - Use CURLOPT_KEYPASSWD to set the Password to the Database
 (- Use CURLOPT_SSL_VERIFYPEER to activate Peer Authentication)
 (- Use other CURLOPTs to define your request (URL, POST/GET, ...)

DO NOT set CURLOPT_SSLCERTTYPE, CURLOPT_SSLCERT, CURLOPT_SSLKEYTYPE, CURLOPT_SSLKEY, CURLOPT_CAPATH or CURLOPT_CAINFO - otherwise you'll get CURLE_SSL_CACERT_BADFILE (77).

can somebody update the documentation for this?

Best Regards,

Oliver
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-04-22