cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Curl, NSS, and libnsspem.so

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 18 Jan 2012 13:31:27 +0100

On Wednesday 18 January 2012 04:33:34 David Shaw wrote:
> Hi,
>
> When built with NSS, and if libnsspem.so is available, curl can handle
> PEM-formatted cert files. I'd like to use the "regular" NSS cert storage
> alone, but this is difficult as if a CA bundle is available, curl will
> load it, and use it in addition to the NSS DB.
>
> I'm able to work around this behavior by passing NULL to CURLOPT_CAINFO so
> nothing is loaded, but this only works when I'm using libcurl. Is there
> some way to not load any PEM files when using the curl command line?

The only way I am aware of is to recompile libcurl with --without-ca-bundle,
but I agree this should be more flexible. Is this issue really specific to
NSS?

> Alternately, and perhaps even better, is there a way to disable
> libnsspem.so altogether (perhaps via the pkcs11.txt config file?)

libnsspem.so is being loaded directly by libcurl. The code dealing with
libnsspem.so is #ifdef'd by HAVE_PK11_CREATEGENERICOBJECT, but there is no
option in configure to disable this feature explicitly atm. Maybe we should
introduce a compile-time option to disable libnsspem.so completely and give
that define a more meaningful name. If there is no objection, I will prepare
a patch for that.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-01-18