cURL / Mailing Lists / curl-library / Single Mail

curl-library

libcurl, libnss and PEM certificates

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Sat, 22 Feb 2014 15:08:24 +0100

Hi all,

I've been looking into ways to fix the no-PEM-certficates-with-libnss in Debian.

The first solution that I tried was to use the libnsspem.so thingy from Red Hat
[0], and it works I guess, but the problem is that it needs to be built as part
of the libnss package, so it's a no-go for now.

[0] https://git.fedorahosted.org/git/nss-pem.git

The other solution I tried was to use the p11-kit-trust.so module from the
p11-kit project [0], which is already packaged for Debian. According to its
documentation it should be a normal PKCS#11 module and a drop-in replacement for
libnssckbi.so (whatever that means), so I simply replaced "libnsspem.so" with
the path to it in libcurl sources to make libcurl use it.

[0] http://p11-glue.freedesktop.org/

The problem with the latter method is that, while libcurl loads the module
correctly, it still doesn't work (that is, TLS connections fail because
libcurl/libnss can't find a proper certificate):

    $ src/curl -v https://www.google.com
    [...]
    * Initializing NSS with certpath: none
    * Closing connection 0
    * The cache now contains 0 members
    * Expire cleared
    curl: (77) Problem with the SSL CA cert (path? access rights?)

So, is there anyone who knows how to make it work (myself being quite ignorant
regarding libnss)? Alternative solutions are welcome as well.

The whole point of this would be to have the libcurl nss flavour in Debian being
actually useful "by default" (which means being able to use the default Debian
CA certificates that are in PEM format), due to the recent GnuTLS license
problems [0]. Which means that I'm also interested in hearing opinions on
OpenSSL vs GnuTLS vs NSS (is [1] up-to-date?) and also about having the nss
flavour to be the default/only available version in Debian (I see that Red Hat
has done the same thing, how did it go?).

[0] https://lists.debian.org/debian-devel/2013/12/msg00329.html
[1] http://curl.haxx.se/docs/ssl-compared.html

Cheers

-- 
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/pgp-signature attachment: Digital signature

Received on 2014-02-22

This message: [ Message body ]
Next message: Marc Hoersken: "Re: weak cipher suites with OpenSSL, SecureTransport and... ?"
Previous message: Tetetest: "Re: using curl_easy_recv function to retrieve data from http server without header!!"
Next in thread: Kamil Dudka: "Re: libcurl, libnss and PEM certificates"
Reply: Kamil Dudka: "Re: libcurl, libnss and PEM certificates"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]