Hello,

A good while back I had some code that needed to use the NSS CAs only (and not the PEM ca-bundle file). I did this by symlinking libnssckbi.so into my nssdb (so NSS would have the CA certs), and passing NULL for CURLOPT_CAINFO (so the PEM file wouldn't be loaded). This worked fine on libcurl 7.21.0 and NSS 3.12.10.

I'm trying to update this code to run on a more up to date system (RHEL7, which has libcurl 7.29.0 and NSS 3.15.4), but passing NULL for CURLOPT_CAINFO does not seem to work any longer. The NSS part seems correct, and "certutil -d /etc/pki/nssdb -L -h all" does in fact list all of the CAs. However, this sample program does not work:

#include <curl/curl.h>

int main(int argc, char *argv[])
{
  CURL *hnd;

  hnd = curl_easy_init();
  curl_easy_setopt(hnd, CURLOPT_URL, "https://www.google.com");
  curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
  curl_easy_setopt(hnd, CURLOPT_CAINFO, NULL);

  curl_easy_perform(hnd);

  curl_easy_cleanup(hnd);

  return 0;
}

The error given is:

* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.

This sample program does work on the older libcurl and NSS.

Any thoughts? Again, the intent here is to use the NSS CAs and ignore the ca-bundle.crt file.

David

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-24