curl / Mailing Lists / curl-library / Single Mail


Re: libcurl with NSS CA-certificate problem

From: Kamil Dudka via curl-library <>
Date: Wed, 19 Sep 2018 10:17:57 +0200

On Tuesday, September 18, 2018 1:19:50 PM CEST Maxime Legros via curl-library wrote:
> Hello,
> As part of a project we decided to use the libcurl library in our c++
> program to handle IMAP communication on a windows platform, because of
> licencing issues we have compiled a version of libCurl using NSS but
> without OpenSSL support.
> Right now we managed to have a simple non encrypted connection and to
> encrypt the connection using the server certificate by using the
> curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,0L).
> But whenever we try to use the peer verification the connection is cut
> before the SSL handsake begin and we get an error:
> "curl_easy_perform() failed: Problem with the SSL CA cert (path?
> access rights?)"
> verbose give us "failed to load"

This is a portability problem in libcurl code. The file names to dlopen()
are hard-wired:

Anyway, you are not going to use nssckbi.dll as the root of trust as
I understand it.

> and if we pass CURLOPT_SSLCERT with my certificate name we get the
> same error but this time we have the line "Initializing NSS with
> certpath: sql:mySSL_DIR_path"

So you are going to use NSS database as the root of trust. This should
work but does not work currently. I believe that the following tiny patch
would fix it:


> we tried using the curl command line equivalent to our program :
> curl.exe -v imaps://url --user "user:pwd"
> We figured that they is a problem with our NSS database but can't
> figure out what, we can read the database with Certutil.exe. do you
> see anything wrong with our process?
> Also is it normal that on a system windows NSS search for
> (we have nssckbi.dll in our path).
> Hoping you can help.
> Sincerely
> Maxime Legros

Received on 2018-09-19