Re:Re: How to use curl with nss supported?

[张绪峰]

Hi Kamil,
Thanks for your reply.

At 2010-12-09 17:10:21，"Kamil Dudka" <kdu...@redhat.com> wrote:

>On Thursday 09 December 2010 08:47:21 张绪峰 wrote:
>> Hi All,
>>
>> I have some problems with curl+nss usage.
>
>What exactly are you going to do?

I'm not sure about how to use curl with nss support.

>
>What are the problems?

Can't access https:// through CA.

>
>> Version
>> --------------
>> $ curl -V
>> curl 7.20.0 (i686-target-linux-gnu) libcurl/7.20.0 NSS/3.12.4.5 zlib/1.2.5
>> libidn/0.6.5 Protocols: dict file ftp ftps http https imap imaps pop3 pop3s
>> rtsp smtp smtps telnet tftp Features: IDN IPv6 Largefile SSL libz
>
>What distribution are you using?  Are the packages provided by your distro?

$ uname -a 
  Linux localhost 2.6.34.7  #1 PREEMPT Mon Dec 6 19:39:02 CST 2010 i686 i686 
i386 GNU/Linux

curl+nss is base on cross-compiling building.

>
>> NSS database is in '/etc/pki/nssdb' directory.
>> When I run certutil, the output is:
>> $ certutil -L -d /etc/pki/nssdb/
>>    Certificate Nickname                                         Trust
>> Attributes SSL,S/MIME,JAR/XPI I don't know why there is no nickname output.
>
>If you have working Firefox, you can try to point curl to its database by 
>setting $SSL_DIR.

Firefox is not installed.
If I have set $SSL_DIR, then how to use it?
$ curl -E -X GET https://bugzilla.redhat.com ?
can't woks.

>
>> I also find there is a Makefile in '/usr/lib/ssl/certs' directory, which
>> can be used to generate PEM format CA. So I run 'make cacert.pem' and it is
>> created.
>> Lastly when I using curl with this CA:
>> $ curl --cacert ./cacert.pem -X GET https://bugzilla.redhat.com
>>    Segmentation fault
>
>If you are able to repeat the crash with the latest curl/nss, please attach 
>the certificate that causes the crash.  What does the following command say?
>
>$ openssl x509 -in ./cacert.pem -noout -text
If use as below, then there is no crash:
$ curl --cert ./cacert.pem -X GET https://bugzilla.redhat.com 
   curl: (77) Problem with the SSL CA cert (path? access rights?)


$ openssl x509 -in ./cacert.pem -noout -text
  Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=WR, OU=SD
        Validity
            Not Before: Nov  9 12:19:05 1992 GMT
            Not After : Nov  9 12:19:05 1993 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=WR, OU=SD
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bc:18:8c:af:66:42:ec:9d:a8:27:40:03:98:0a:
                    fe:8a:30:f2:85:ae:1c:e4:72:ef:33:22:16:0d:12:
                    20:d9:a3:45:e5:df:ab:c9:8c:3a:54:86:67:ff:c1:
                    de:98:35:81:85:ba:a5:0c:c7:fd:15:b2:08:e4:07:
                    64:8d:da:3a:a3:03:0d:c5:12:ec:88:71:6b:8f:64:
                    17:97:70:13:6f:24:a8:d4:73:6c:85:9f:bb:c9:30:
                    ee:ff:4d:df:96:77:fa:8e:94:a6:b2:6d:59:d1:ce:
                    6e:1c:04:b0:e3:b2:76:3a:96:75:3c:6f:18:65:ba:
                    5a:5b:91:ff:68:ac:00:1c:fd:62:2e:bb:a8:8e:f8:
                    35:df:1a:58:55:da:8a:f3:8b:d9:db:36:a1:39:8a:
                    85:47:0d:3c:79:d6:38:ac:b2:e7:00:e1:8f:9f:ac:
                    67:39:e9:a1:79:7b:ae:c3:f6:5e:01:6f:c4:de:c6:
                    38:76:c4:cb:b8:41:59:ac:89:ac:1c:ea:68:9d:eb:
                    a4:da:45:0b:09:6e:70:fe:25:a2:92:f5:41:dd:40:
                    c2:04:a8:23:f5:88:20:40:27:2e:4b:d3:9b:4e:6c:
                    45:74:01:51:a0:4c:49:f9:e3:5e:c0:32:b7:45:96:
                    8f:ba:ca:1e:53:01:87:de:55:b7:28:13:53:14:94:
                    de:d7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                39:28:9D:92:1C:30:F5:9A:EB:A7:D4:7C:30:C5:0E:5C:0F:19:49:C2
            X509v3 Authority Key Identifier: 
                
keyid:39:28:9D:92:1C:30:F5:9A:EB:A7:D4:7C:30:C5:0E:5C:0F:19:49:C2

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        04:d7:2a:c2:46:92:a6:64:5a:72:bb:7c:9d:47:77:7d:06:eb:
        2b:e3:8a:b0:a6:6f:d4:4f:57:7e:fd:58:78:91:28:f5:b4:8f:
        3e:1a:a7:45:57:96:64:ad:d8:b4:d5:cc:22:ac:ef:78:a2:35:
        ef:48:f2:58:e5:1f:c7:24:14:0d:08:89:b9:d5:7c:cb:df:17:
        15:37:0d:57:ed:d3:cf:2a:f4:df:4f:ec:31:97:dd:af:d3:56:
        b4:84:8a:61:5f:3f:44:a6:8d:32:b0:41:c7:2f:9d:e2:09:d1:
        26:73:6e:77:91:30:1c:9c:46:4f:42:ad:ef:cf:1d:89:46:15:
        04:a6:7c:f3:7f:b8:94:12:4a:4a:a0:07:c6:7d:1a:c8:be:28:
        f8:fa:ac:20:80:16:75:61:2b:bd:e0:5a:aa:a7:a6:dd:6a:ae:
        34:d3:62:95:79:74:98:8b:2f:22:f2:e1:f2:d3:be:6e:0d:bc:
        3e:c2:0b:ed:31:71:1a:16:9f:69:af:f9:79:35:e2:7c:6a:e3:
        79:f5:4e:2f:8f:33:24:66:cb:f5:88:d1:e3:c3:56:16:08:b1:
        b4:2f:c7:55:38:51:6b:6c:d1:37:16:da:5d:a3:70:e9:34:76:
        1e:2d:94:87:49:5f:2f:ae:d8:3d:0b:28:3e:aa:72:1c:8d:1a:
        39:48:9f:06


Thanks,
Xufeng Zhang
>
>Kamil

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html