cURL / Mailing Lists / curl-library / Single Mail


Re: NSS support quirks

From: Rob Crittenden <>
Date: Tue, 17 Jun 2008 16:07:58 -0400

Arnaud Ebalard wrote:
> Hi,
> Daniel Stenberg <> writes:
>> On Mon, 16 Jun 2008, Arnaud Ebalard wrote:
>>> Daniel, I don't know if it would be a huge amount work but a good
>>> way to test things would be to had to curl (the command line
>>> utility) the options for passing CRL and issuer cert (or the
>>> equivalent for NSS) and then test things (also adding regression
>>> tests for that if time is not a matter).
>> Of course. I won't stand in the way of anyone who'd step forward to do
>> this.
> Me neither ;-) As usual, if someone has a real need for the
> functionality, a patch will appear.
>> Is NSS using database files for them too, like it does for ca certs?
>> If so, how do I use all of those? I don't even know how to setup my
>> system to use NSS with cacerts. Can I convert my PEM file to a NSS
>> cacert db somehow?
> Added Rob to the list of CC on that one.

NSS should be able to use the same files as OpenSSL so you don't need to
set up a database if you don't want to.

You can use a database in the following ways:

1. Set the environment variable SSL_DIR that points to the location of
your database
2. Put a world-readable database into /etc/pki/nss

You can import certs using the certutil command. For a CA cert it might
look something like:

certutil -d /path/to/database -A -n "some unique nickname" -t CT,, -a <

The options mean:

-d points to the directory your NSS database resides in
-A means add a cert
-n provides a nickname for that certificate so it easier to utilize
-t trusts the CA for issuing server and client certs (no e-mail or object)
-a means import the cert as an ASCII file (as opposed to DER format)


>> If anyone would work on setting up test cases for these things, does
>> anyone have any fine generated files that could be used to test?
>>> At least associated time would not be completely lost. That's just an idea.
>> Persons adding test cases are always tresured and appreciated. Just
>> not very often seen! ;-)
> Writing some test case for issuer check should be pretty easy. I'm just
> not familiar with that part of curl. For CRL check, this would mean
> generating two CRLs (one with test server ok and the other with the test
> server revoked) and then test both.
> Cheers,
> a+

Received on 2008-06-17