curl-library
Re: Multi-threading, NSS, client certificates and Linux problem
Date: Thu, 19 Jan 2017 13:39:44 -0800
Hi Kamil.
On Thu, Jan 19, 2017 at 4:08 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:
>
> On Thursday, January 19, 2017 00:27:57 Pawel Veselov wrote:
> > Running strace on the process, I can see NSS accessing the correct PEM
> > files, but simply not including the certificate (point #1). I assume there
> > are some invalid bits for point #2 (the correct certificate seems to be
> > included), but figuring it out is somewhat tedious. I assume that the
> > problems are related, and #1 is more clear cut.
> If you load certificates from files, you must be using the nss-pem PKCS #11
> module. Do you have any idea which version of nss-pem you are using?
1.0.2-2, at least on Fedora. It's actually your spec file that you
made for Fedora :)
>> * Wed Jun 22 2016 Kamil Dudka <kdudka_at_redhat.com> 1.0.2-2
>> - explicitly conflict with all nss builds with bundled nss-pem (#1347336)
> Could you please verify that the following patch is included?
> https://github.com/kdudka/nss-pem/commit/33ceed15
Yes, it is included.
> > I was wondering whether this was a known problem, and what is the best
> > approach to debugging it. Considering I've not been around NSS or libcurl
> > code before, any pointers on where to dig would be highly appreciated.
> Could you please try to import the client certificates (and keys) to the
> NSS database by the pk12util tool and refer to them by their nicknames
> while using the CURLOPT_SSLCERT option of libcurl?
Things work perfectly fine if I use the database, i.e. no MT problems.
Unfortunately, this is not a workaround to what I'm trying to achieve,
but it is pointing to nss-pem as a culprit, isn't it? Anywhere in
particular you'd like me to dig in there?
P.S. I also discovered that if database is used (even if it just
exists, may be it needs to have a CA, may be it doesn't), then
CURLOPT_CAINFO is ignored, or at least the cert that is provided by it
is no longer trusted. May be because the same cert is in the DB, and
without the C flag. If it is the latter, it is probably still a
problem, because if I say I need to trust cert X, there is no other
way for me to do it (if it is a system database, for example).
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-01-19