cURL / Mailing Lists / curl-library / Single Mail


libcurl, libnss and PEM certificates

From: Alessandro Ghedini <>
Date: Sat, 22 Feb 2014 15:08:24 +0100

Hi all,

I've been looking into ways to fix the no-PEM-certficates-with-libnss in Debian.

The first solution that I tried was to use the thingy from Red Hat
[0], and it works I guess, but the problem is that it needs to be built as part
of the libnss package, so it's a no-go for now.


The other solution I tried was to use the module from the
p11-kit project [0], which is already packaged for Debian. According to its
documentation it should be a normal PKCS#11 module and a drop-in replacement for (whatever that means), so I simply replaced "" with
the path to it in libcurl sources to make libcurl use it.


The problem with the latter method is that, while libcurl loads the module
correctly, it still doesn't work (that is, TLS connections fail because
libcurl/libnss can't find a proper certificate):

    $ src/curl -v
    * Initializing NSS with certpath: none
    * Closing connection 0
    * The cache now contains 0 members
    * Expire cleared
    curl: (77) Problem with the SSL CA cert (path? access rights?)

So, is there anyone who knows how to make it work (myself being quite ignorant
regarding libnss)? Alternative solutions are welcome as well.

The whole point of this would be to have the libcurl nss flavour in Debian being
actually useful "by default" (which means being able to use the default Debian
CA certificates that are in PEM format), due to the recent GnuTLS license
problems [0]. Which means that I'm also interested in hearing opinions on
OpenSSL vs GnuTLS vs NSS (is [1] up-to-date?) and also about having the nss
flavour to be the default/only available version in Debian (I see that Red Hat
has done the same thing, how did it go?).



perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

List admin:

Received on 2014-02-22