Hi Kamil, Thanks very much for your help.
At 2010-12-09 18:46:11,"Kamil Dudka" <[email protected]> wrote: >On Thursday 09 December 2010 11:04:40 张绪峰 wrote: >> I'm not sure about how to use curl with nss support. > >The natural way for NSS is to go through NSS database. You can specify its >path by the environment variable SSL_DIR. You need to load your certificates >into NSS database using certutil. Another way is to load PEM >certificates/keys directly by curl. It, however, requires you to have a PEM >reader PKCS11 module, which has not been accepted by NSS upstream yet: > >https://bugzilla.mozilla.org/show_bug.cgi?id=402712 > >> >What are the problems? >> >> Can't access https:// through CA. >> >> >> Version >> >> -------------- >> >> $ curl -V >> >> curl 7.20.0 (i686-target-linux-gnu) libcurl/7.20.0 NSS/3.12.4.5 >> >> zlib/1.2.5 libidn/0.6.5 Protocols: dict file ftp ftps http https imap >> >> imaps pop3 pop3s rtsp smtp smtps telnet tftp Features: IDN IPv6 >> >> Largefile SSL libz >> > >> >What distribution are you using? Are the packages provided by your >> > distro? >> >> $ uname -a >> Linux localhost 2.6.34.7 #1 PREEMPT Mon Dec 6 19:39:02 CST 2010 i686 >> i686 i386 GNU/Linux > >It does not say much about the distribution. But it is likely not Fedora >nor RHEL, which means you probably don't have the PEM reader installed on >your system by default. Yeah, there is no PEM reader in my system, I can find there is a pk12util. > >> curl+nss is base on cross-compiling building. >> >> >> NSS database is in '/etc/pki/nssdb' directory. >> >> When I run certutil, the output is: >> >> $ certutil -L -d /etc/pki/nssdb/ >> >> Certificate Nickname Trust >> >> Attributes SSL,S/MIME,JAR/XPI I don't know why there is no nickname >> >> output. >> > >> >If you have working Firefox, you can try to point curl to its database by >> >setting $SSL_DIR. >> >> Firefox is not installed. >> If I have set $SSL_DIR, then how to use it? >> $ curl -E -X GET https://bugzilla.redhat.com ? >> can't woks. > >export SSL_DIR=/path/to/your/database But what about after? I also can't find my certificates. 1. $ certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 2. $ export SSL_DIR=/etc/pki/nssdb 3. ?? > >> >> I also find there is a Makefile in '/usr/lib/ssl/certs' directory, which >> >> can be used to generate PEM format CA. So I run 'make cacert.pem' and it >> >> is created. >> >> Lastly when I using curl with this CA: >> >> $ curl --cacert ./cacert.pem -X GET https://bugzilla.redhat.com >> >> Segmentation fault >> > >> >If you are able to repeat the crash with the latest curl/nss, please >> > attach the certificate that causes the crash. What does the following >> > command say? >> > >> >$ openssl x509 -in ./cacert.pem -noout -text >> >> If use as below, then there is no crash: >> $ curl --cert ./cacert.pem -X GET https://bugzilla.redhat.com >> curl: (77) Problem with the SSL CA cert (path? access rights?) > >You can't supply CA as client certificate. I'll try to reproduce the crash >myself. Please give me some steps to reproduce. cacert.pem and Makefile have been attached, I have renamed Makefile to Makefile.txt. Sorry, I also can't reproduce the crash now, werid, this time when I run: $ curl --cacert ./cacert.pem https://bugzilla.redhat.com curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Thanks, Xufeng Zhang > >Kamil
cacert.pem
Description: Binary data
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make
SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make
testcert\"."
@echo
@echo "To create a test certificate with serial number other than zero,
add SERIAL=num"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem SERIAL=2"
@echo " make testcert SERIAL=3"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes
-x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@
-set_serial $(SERIAL)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out
$(CRT) -set_serial $(SERIAL)
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
