On 07/04/16, Oliver Graute wrote: > Hello list, > > i'am using libcurl/7.44.0 with NSS/3.21i. If I call a curl_easy_perfom() > in my httpclient it returns CURLE_SSL_CACERT_BADFILE. > > the same nss key database is working fine together with apache2 (tls with > mod_nss). So I assume path and access rights are fine for libcurl to. > > some clue whats wrong here? > > my SSL Specific settings are this one: > > CURLOPT_URL - "https://127.0.0.1/test.php"; : Target URL on same > machine for testing > CURLOPT_POST - 1 > CURLOPT_TIMEOUT - 300 > CURLOPT_READDATA - FILE* pFile = fopen("/home/root/test.json") > CURLOPT_INFILESIZE_LARGE- fstats.st_size > CURLOPT_HTTPHEADER - some custom header stuff > > > other settings which works even without ssl > > CURLOPT_KEYPASSWD - "foo" : Password to NSS-Database > CURLOPT_SSLCERTTYPE - "P12" ("PEM" didn't work either) > CURLOPT_SSLCERT - "client - foo" : Nickname of client cert > within NSS Database > CURLOPT_SSLKEYTYPE - "ENG" (Tried "DER" and "PEM" too ... (in combination > with either P12 and PEM as CertType)) > CURLOPT_SSLKEY - "client - foo" : Nickname of client cert / > priv key for cert within NSS Database (Nickname of Cert and PrivKey are > identical) > CURLOPT_CAPATH - "/etc/apache2/nss-conf/" : Path to > NSS-Database (redundant? already set via put_env to $SSL_DIR) > CURLOPT_CAINFO - "CA - foo" : Nickname of CA Cert within NSS > Database > CURLOPT_SSL_VERIFYPEER - 1 > > > Verbose output: > > * Trying 127.0.0.1... > > * Connected to 127.0.0.1 (127.0.0.1) port 443 (#0) > > * Initializing NSS with certpath: sql:/etc/apache2/nss-conf/ > * Closing connection 0 > > Own output: > > curl_easy_perform: 77 > curl_easy_perfom returns CURLE_SSL_CACERT_BADFILE
finally we solved the issue, for the records: When using a NSS Database you MUST NOT use options defining certificates/keys/etc - they will overwrite what is set within the database. Using CURL with NSS and a NSS Database: - Set EnvVar $SSL_DIR to the Path of the Database - Use CURLOPT_KEYPASSWD to set the Password to the Database (- Use CURLOPT_SSL_VERIFYPEER to activate Peer Authentication) (- Use other CURLOPTs to define your request (URL, POST/GET, ...) DO NOT set CURLOPT_SSLCERTTYPE, CURLOPT_SSLCERT, CURLOPT_SSLKEYTYPE, CURLOPT_SSLKEY, CURLOPT_CAPATH or CURLOPT_CAINFO - otherwise you'll get CURLE_SSL_CACERT_BADFILE (77). can somebody update the documentation for this? Best Regards, Oliver ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
