At 2010-12-09 18:46:11,"Kamil Dudka" <[email protected]> wrote: >On Thursday 09 December 2010 11:04:40 张绪峰 wrote: >> I'm not sure about how to use curl with nss support. > >The natural way for NSS is to go through NSS database. You can specify its >path by the environment variable SSL_DIR. You need to load your certificates >into NSS database using certutil. Another way is to load PEM >certificates/keys directly by curl. It, however, requires you to have a PEM >reader PKCS11 module, which has not been accepted by NSS upstream yet: > >https://bugzilla.mozilla.org/show_bug.cgi?id=402712 > >> >What are the problems? >> >> Can't access https:// through CA. >> >> >> Version >> >> -------------- >> >> $ curl -V >> >> curl 7.20.0 (i686-target-linux-gnu) libcurl/7.20.0 NSS/3.12.4.5 >> >> zlib/1.2.5 libidn/0.6.5 Protocols: dict file ftp ftps http https imap >> >> imaps pop3 pop3s rtsp smtp smtps telnet tftp Features: IDN IPv6 >> >> Largefile SSL libz >> > >> >What distribution are you using? Are the packages provided by your >> > distro? >> >> $ uname -a >> Linux localhost 2.6.34.7 #1 PREEMPT Mon Dec 6 19:39:02 CST 2010 i686 >> i686 i386 GNU/Linux > >It does not say much about the distribution. But it is likely not Fedora >nor RHEL, which means you probably don't have the PEM reader installed on >your system by default. > >> curl+nss is base on cross-compiling building. >> >> >> NSS database is in '/etc/pki/nssdb' directory. >> >> When I run certutil, the output is: >> >> $ certutil -L -d /etc/pki/nssdb/ >> >> Certificate Nickname Trust >> >> Attributes SSL,S/MIME,JAR/XPI I don't know why there is no nickname >> >> output. >> > >> >If you have working Firefox, you can try to point curl to its database by >> >setting $SSL_DIR. >> >> Firefox is not installed. >> If I have set $SSL_DIR, then how to use it? >> $ curl -E -X GET https://bugzilla.redhat.com ? >> can't woks. > >export SSL_DIR=/path/to/your/database > >> >> I also find there is a Makefile in '/usr/lib/ssl/certs' directory, which >> >> can be used to generate PEM format CA. So I run 'make cacert.pem' and it >> >> is created. >> >> Lastly when I using curl with this CA: >> >> $ curl --cacert ./cacert.pem -X GET https://bugzilla.redhat.com >> >> Segmentation fault >> > >> >If you are able to repeat the crash with the latest curl/nss, please >> > attach the certificate that causes the crash. What does the following >> > command say? >> > >> >$ openssl x509 -in ./cacert.pem -noout -text >> >> If use as below, then there is no crash: >> $ curl --cert ./cacert.pem -X GET https://bugzilla.redhat.com >> curl: (77) Problem with the SSL CA cert (path? access rights?) > >You can't supply CA as client certificate. I'll try to reproduce the crash >myself. Please give me some steps to reproduce. Oh, I know why I can't reproduce the crash now, I have changed PEM file from "-----BEGIN PRIVATE KEY-----" to "-----BEGIN RSA PRIVATE KEY-----". Use this cacert.pem file, you can reproduce the crash by running: $ curl --cacert /the/path/to/cacert.pem https://bugzilla.redhat.com Segmentation fault Thanks, Xufeng Zhang > >Kamil
cacert.pem
Description: Binary data
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
