On Saturday, February 22, 2014 15:08:24 Alessandro Ghedini wrote: > Hi all, > > I've been looking into ways to fix the no-PEM-certficates-with-libnss in > Debian. > > The first solution that I tried was to use the libnsspem.so thingy from Red > Hat [0], and it works I guess, but the problem is that it needs to be built > as part of the libnss package, so it's a no-go for now. > > [0] https://git.fedorahosted.org/git/nss-pem.git
nss-pem is going to be included into the upstream distribution of nss. Kai Engert is currently working on this. > The other solution I tried was to use the p11-kit-trust.so module from the > p11-kit project [0], which is already packaged for Debian. According to its > documentation it should be a normal PKCS#11 module and a drop-in replacement > for libnssckbi.so (whatever that means), so I simply replaced > "libnsspem.so" with the path to it in libcurl sources to make libcurl use > it. > > [0] http://p11-glue.freedesktop.org/ > > The problem with the latter method is that, while libcurl loads the module > correctly, it still doesn't work (that is, TLS connections fail because > libcurl/libnss can't find a proper certificate): > > $ src/curl -v https://www.google.com > [...] > * Initializing NSS with certpath: none > * Closing connection 0 > * The cache now contains 0 members > * Expire cleared > curl: (77) Problem with the SSL CA cert (path? access rights?) > > So, is there anyone who knows how to make it work (myself being quite > ignorant regarding libnss)? Alternative solutions are welcome as well. > > The whole point of this would be to have the libcurl nss flavour in Debian > being actually useful "by default" (which means being able to use the > default Debian CA certificates that are in PEM format), due to the recent > GnuTLS license problems [0]. Which means that I'm also interested in > hearing opinions on OpenSSL vs GnuTLS vs NSS (is [1] up-to-date?) and also > about having the nss flavour to be the default/only available version in > Debian (I see that Red Hat has done the same thing, how did it go?). > > [0] https://lists.debian.org/debian-devel/2013/12/msg00329.html > [1] http://curl.haxx.se/docs/ssl-compared.html > > Cheers I am adding nss-pem-devel to CC. It is probably a more appropriate channel for this discussion. Kamil ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
