Hi all, I've been looking into ways to fix the no-PEM-certficates-with-libnss in Debian.
The first solution that I tried was to use the libnsspem.so thingy from Red Hat [0], and it works I guess, but the problem is that it needs to be built as part of the libnss package, so it's a no-go for now. [0] https://git.fedorahosted.org/git/nss-pem.git The other solution I tried was to use the p11-kit-trust.so module from the p11-kit project [0], which is already packaged for Debian. According to its documentation it should be a normal PKCS#11 module and a drop-in replacement for libnssckbi.so (whatever that means), so I simply replaced "libnsspem.so" with the path to it in libcurl sources to make libcurl use it. [0] http://p11-glue.freedesktop.org/ The problem with the latter method is that, while libcurl loads the module correctly, it still doesn't work (that is, TLS connections fail because libcurl/libnss can't find a proper certificate): $ src/curl -v https://www.google.com [...] * Initializing NSS with certpath: none * Closing connection 0 * The cache now contains 0 members * Expire cleared curl: (77) Problem with the SSL CA cert (path? access rights?) So, is there anyone who knows how to make it work (myself being quite ignorant regarding libnss)? Alternative solutions are welcome as well. The whole point of this would be to have the libcurl nss flavour in Debian being actually useful "by default" (which means being able to use the default Debian CA certificates that are in PEM format), due to the recent GnuTLS license problems [0]. Which means that I'm also interested in hearing opinions on OpenSSL vs GnuTLS vs NSS (is [1] up-to-date?) and also about having the nss flavour to be the default/only available version in Debian (I see that Red Hat has done the same thing, how did it go?). [0] https://lists.debian.org/debian-devel/2013/12/msg00329.html [1] http://curl.haxx.se/docs/ssl-compared.html Cheers -- perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
