cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Problem with curl + nss

From: Eric Landes <autrelandes-curl_at_yahoo.fr>
Date: Fri, 16 Jul 2010 06:08:02 +0000 (GMT)

> It looks like a bug. The question now is of course if the
> problem is within NSS or curl. Can you browse to this page
> with Firefox?
>
Not sure how ftp/s works with firefox, so I tried with https :

== FTP/S Fedora curl + nss with PEM certificates created with openssl ==
$ curl -V
curl 7.20.1 (i386-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.6.2 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile SSL libz
$ curl -v --netrc --list-only --cacert ~/PKILOCAL/cacert.pem https://localhost/* About to connect() to localhost port 443 (#0)
* Trying ::1... connected
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /home/eric/PKILOCAL/cacert.pem
  CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: E=u_at_example.fr,CN=localhost,OU=Service,O=Yep SA,ST=Ile-De-France,C=FR
* start date: juil. 09 19:57:36 2010 GMT
* expire date: juil. 08 19:57:36 2013 GMT
* common name: localhost
* issuer: E=t_at_example.fr,CN=CALOCAL,OU=Service,O=Yep SA,L=Paris,ST=Ile-De-France,C=FR
* Server auth using Basic with user 'toto'
> GET / HTTP/1.1
> Authorization: Basic dG90bzp0b3Rv
> User-Agent: curl/7.20.1 (i386-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.6.2 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 16 Jul 2010 06:06:59 GMT
< Server: Apache/2.2.15 (Fedora)
< Last-Modified: Fri, 09 Jul 2010 18:22:15 GMT
< ETag: "3c0e3-8-48af87b7aa3c0"
< Accept-Ranges: bytes
< Content-Length: 8
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
Bonjour
* Closing connection #0

$ curl -v --netrc --list-only --cacert ~/PKILOCAL/cacert.pem --cert ~/PKILOCAL/cert.pem:motdepasse --key ~/PKILOCAL/priv.key https://localhost/
* About to connect() to localhost port 443 (#0)
* Trying ::1... connected
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /home/eric/PKILOCAL/cacert.pem
  CApath: none
* Unable to load client key -8178.
* Closing connection #0
curl: (58) Unable to load client key -8178.

== Firefox with the same (ca and client) certificates imported within Firefox ==
(The nss library used by Firefox seems to be bundled in the firefox binary, so it may not be the same as the one used with Fedora curl)
It works (and wireshark says "Handshake Protocol : Client key exchange", so I assume that firefox used the keys, and not only the ca certificate).

After much struggle, I could compile nss (with tracing), but the additional details given were not helpful :

$ LD_LIBRARY_PATH=/home/eric/nss/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib ./curl -V
curl 7.21.1-DEV (i686-pc-linux-gnu) libcurl/7.21.1-DEV NSS/3.12.6.2 zlib/1.2.3
Protocols: file ftp ftps http https tftp
Features: Debug TrackMemory IPv6 Largefile NTLM SSL libz
$ LD_LIBRARY_PATH=/home/eric/nss/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib SSLTRACE=100 ./curl -v --netrc --list-only --ftp-ssl-reqd --cacert ~/PKILOCAL/cacert.pem --cert ~/PKILOCAL/cert.pem:motdepasse --key ~/PKILOCAL/priv.key ftp://localhost/
* About to connect() to localhost port 21 (#0)
* Trying ::1... Connexion refusée
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 21 (#0)
* FTP 0x9286f48 state change from STOP to WAIT220
< 220 (vsFTPd 2.2.2)
> AUTH SSL
* FTP 0x9286f48 state change from WAIT220 to AUTH
< 234 Proceed with negotiation.
* Initializing NSS with certpath: /etc/pki/nssdb
SSL: tracing set to 100
20192: SSL: grow buffer from 0 to 18432
20192: SSL: grow buffer from 0 to 18432
* CAfile: /home/eric/PKILOCAL/cacert.pem
  CApath: none
* Unable to load client key -8178.
* Closing connection #0
curl: (58) Unable to load client key -8178.

      

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-07-16