Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl with NSS CA-certificate problem

From: Kamil Dudka via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 19 Sep 2018 10:17:57 +0200

On Tuesday, September 18, 2018 1:19:50 PM CEST Maxime Legros via curl-library wrote:
> Hello,
>
> As part of a project we decided to use the libcurl library in our c++
> program to handle IMAP communication on a windows platform, because of
> licencing issues we have compiled a version of libCurl using NSS but
> without OpenSSL support.
> Right now we managed to have a simple non encrypted connection and to
> encrypt the connection using the server certificate by using the
> curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,0L).
>
> But whenever we try to use the peer verification the connection is cut
> before the SSL handsake begin and we get an error:
> "curl_easy_perform() failed: Problem with the SSL CA cert (path?
> access rights?)"
> verbose give us "failed to load libnssckbi.so"

This is a portability problem in libcurl code. The file names to dlopen()
are hard-wired:

https://github.com/curl/curl/blob/056cc37e/lib/vtls/nss.c#L220

Anyway, you are not going to use nssckbi.dll as the root of trust as
I understand it.

> and if we pass CURLOPT_SSLCERT with my certificate name we get the
> same error but this time we have the line "Initializing NSS with
> certpath: sql:mySSL_DIR_path"

So you are going to use NSS database as the root of trust. This should
work but does not work currently. I believe that the following tiny patch
would fix it:

https://github.com/curl/curl/pull/3016

Kamil

> we tried using the curl command line equivalent to our program :
> curl.exe -v imaps://url --user "user:pwd"
>
> We figured that they is a problem with our NSS database but can't
> figure out what, we can read the database with Certutil.exe. do you
> see anything wrong with our process?
>
> Also is it normal that on a system windows NSS search for
> libnssckbi.so (we have nssckbi.dll in our path).
>
> Hoping you can help.
>
> Sincerely
>
> Maxime Legros

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-09-19