cURL / Mailing Lists / curl-library / Single Mail


Re: Curl and NSS

From: George Sherwood <>
Date: Sat, 29 Nov 2008 16:58:48 -0600

On Sat, 29 Nov 2008 22:13:17 +0100 (CET)
Daniel Stenberg <> wrote:

> On Sat, 29 Nov 2008, George Sherwood wrote:
> > I have been maintaining curl and nss for our distro and I was
> > wondering if there is any advantage to building curl against NSS.
> > Currently we don't even have that as an option.
> As far as I understand it, and I can't say I've actually tried to
> understand all the aspects of this, NSS has a FIPS certification in a
> way none of the other SSL libs do, and some US governments or
> something requires software to be FIPS certificied to be considered.
> See this:
> > Also is it proper to build curl against gnutls and openssl and
> > libssh2 or should it only be one of these three or nss?
> NSS is a SSL library libcurl can use instead of OpenSSL or GnuTLS.
> libcurl can only be built to use one of these in a single build

Got it. I need to modify our build so that the user will only use one
of these three. Unfortunately currently the configure is failing to
find pkg-config, I believe so it is executing the else portion kludge
defaults and failing. If I remove the if test -n "$check"; then
everything work fine.

  if test X"$OPT_NSS" != Xno; then
    if test "x$OPT_NSS" = "xyes"; then
     check=`pkg-config --version 2>/dev/null`
     if test -n "$check"; then
       addlib=`pkg-config --libs nss`
       addcflags=`pkg-config --cflags nss`
       version=`pkg-config --modversion nss`
       nssprefix=`pkg-config --variable=prefix nss`
      # Without pkg-config, we'll kludge in some defaults
      addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread
  -ldl" addcflags="-I$OPT_NSS/include"

> > I finally got midori/webkit working with https site by adding
> > ca-certificates and building curl against openssl with the options:
> >
> > --with-ssl=/usr --without-ca-bundle --with-ca-path=/etc/ssl/certs
> >
> > I was just wondering if I am doing things correctly.
> How is this related to the NSS question?

Related in that I only have the midori browser working on https sites
using curl built against openssl. I believe it should work with curl
built against either GnuTLS or NSS. Webkit uses curl as its http

> (lib)curl no longer provides a ca cert bundle of its own so if you
> want your libcurl installation to have a default ca cert bundle you
> need to make sure configure finds a suitable one.

I seem to have this working at least with OpenSSL.


George Sherwood
Source Mage GNU/Linux Lead Developer

Received on 2008-11-30