curl / Mailing Lists / curl-library / Single Mail

curl-library

SSL error when using libcurl with fork in child and parent

From: joseph galois via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 15 Jun 2017 15:25:20 +0200

Hi,

I have a process (let’s call it parent) that needs to use libcurl for logging. This process forks to spawn many children that also need to use libcurl for logging. After many tests, I cannot find a way of having libcurl working properly on both parent and children at the same time. Details below:

The parent executes basing on this code scheme (just pseudocode for simplicity):
...
curl_global_init (CURL_GLOBAL_ALL);
...
log();
fork(); //spawn a child
log();
...
log();
fork(); //spawn a child
log();
...

Children, in turn, do this:
...
curl_global_cleanup (); //Critical line, see explanations below
curl_global_init (CURL_GLOBAL_ALL);
log();
log();
...
 
Both parent and children have log() defined using this scheme:

void function log(...){
        curl_easy_init();
        curl_easy_setopt (curl, CURLOPT_URL, url.c_str () );
        curl_easy_setopt (curl, CURLOPT_NOPROGRESS, 1L);
        curl_easy_setopt (curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
        curl_easy_setopt (curl, CURLOPT_POSTFIELDS, payload );
        curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, handler);
        curl_easy_setopt (curl, CURLOPT_WRITEDATA, userdata);
        curl_easy_perform (curl);
        curl_easy_cleanup (curl);
}

Based on this, I find the following:
If the child does not perform curl_global_cleanup then, I get a "SSL Connect error” every time I log() on both parent and child and my logging stops working at all.
If the child does perform curl_global_cleanup, then the child log() fails with the following traces:
==> Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
==> Info: Unable to initialize NSS database
==> Info: Initializing NSS with certpath: none
==> Info: Unable to initialize NSS
Error: Problem with the SSL CA cert (path? access rights?)
In this case, parent log seems to continue working

I have found some related posts like these:
https://curl.haxx.se/mail/archive-2013-02/0032.html
https://stackoverflow.com/questions/15466809/libcurl-ssl-error-after-fork
http://curl-library.cool.haxx.narkive.com/c47UZBtf/ssl-error-after-fork

But the solutions proposed there require curl not to be available at the parent at all, or not to be available on it after the fork. Unfortunately I need the parent to log both before and after the fork.

I’m also aware that the problem is somehow related to the fact I’m using nss, because with gnutls the problem does not seem to emerge. Unfortunately again, nss is a must in my stack.

Then, the questions is: Is there a way to instruct libcurl so that I can use it safely at both parent and children with nss?

Details on my setup are the following:

OS
CentOS 6 (Red Hat 4.8.3-9)

CURL
curl 7.51.0 (x86_64-redhat-linux-gnu) libcurl/7.51.0 NSS/3.21.3 Basic ECC zlib/1.2.8 libidn2/0.16 libpsl/0.6.2 (+libicu/50.1.2) libssh2/1.4.2
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets PSL

Thanks in advance.

Joseph.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-06-15