Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Multi-threading, NSS, client certificates and Linux problem

From: Pawel Veselov <pawel.veselov_at_gmail.com>
Date: Thu, 19 Jan 2017 13:39:44 -0800

Hi Kamil.

On Thu, Jan 19, 2017 at 4:08 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:
>
> On Thursday, January 19, 2017 00:27:57 Pawel Veselov wrote:
> > Running strace on the process, I can see NSS accessing the correct PEM
> > files, but simply not including the certificate (point #1). I assume there
> > are some invalid bits for point #2 (the correct certificate seems to be
> > included), but figuring it out is somewhat tedious. I assume that the
> > problems are related, and #1 is more clear cut.
> If you load certificates from files, you must be using the nss-pem PKCS #11
> module. Do you have any idea which version of nss-pem you are using?

1.0.2-2, at least on Fedora. It's actually your spec file that you
made for Fedora :)
>> * Wed Jun 22 2016 Kamil Dudka <kdudka_at_redhat.com> 1.0.2-2
>> - explicitly conflict with all nss builds with bundled nss-pem (#1347336)

> Could you please verify that the following patch is included?
> https://github.com/kdudka/nss-pem/commit/33ceed15

Yes, it is included.

> > I was wondering whether this was a known problem, and what is the best
> > approach to debugging it. Considering I've not been around NSS or libcurl
> > code before, any pointers on where to dig would be highly appreciated.
> Could you please try to import the client certificates (and keys) to the
> NSS database by the pk12util tool and refer to them by their nicknames
> while using the CURLOPT_SSLCERT option of libcurl?

Things work perfectly fine if I use the database, i.e. no MT problems.
Unfortunately, this is not a workaround to what I'm trying to achieve,
but it is pointing to nss-pem as a culprit, isn't it? Anywhere in
particular you'd like me to dig in there?

P.S. I also discovered that if database is used (even if it just
exists, may be it needs to have a CA, may be it doesn't), then
CURLOPT_CAINFO is ignored, or at least the cert that is provided by it
is no longer trusted. May be because the same cert is in the DB, and
without the C flag. If it is the latter, it is probably still a
problem, because if I say I need to trust cert X, there is no other
way for me to do it (if it is a system database, for example).
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-01-19