Hi Kamil. On Thu, Jan 19, 2017 at 4:08 AM, Kamil Dudka <[email protected]> wrote: > > On Thursday, January 19, 2017 00:27:57 Pawel Veselov wrote: > > Running strace on the process, I can see NSS accessing the correct PEM > > files, but simply not including the certificate (point #1). I assume there > > are some invalid bits for point #2 (the correct certificate seems to be > > included), but figuring it out is somewhat tedious. I assume that the > > problems are related, and #1 is more clear cut. > If you load certificates from files, you must be using the nss-pem PKCS #11 > module. Do you have any idea which version of nss-pem you are using?
1.0.2-2, at least on Fedora. It's actually your spec file that you made for Fedora :) >> * Wed Jun 22 2016 Kamil Dudka <[email protected]> 1.0.2-2 >> - explicitly conflict with all nss builds with bundled nss-pem (#1347336) > Could you please verify that the following patch is included? > https://github.com/kdudka/nss-pem/commit/33ceed15 Yes, it is included. > > I was wondering whether this was a known problem, and what is the best > > approach to debugging it. Considering I've not been around NSS or libcurl > > code before, any pointers on where to dig would be highly appreciated. > Could you please try to import the client certificates (and keys) to the > NSS database by the pk12util tool and refer to them by their nicknames > while using the CURLOPT_SSLCERT option of libcurl? Things work perfectly fine if I use the database, i.e. no MT problems. Unfortunately, this is not a workaround to what I'm trying to achieve, but it is pointing to nss-pem as a culprit, isn't it? Anywhere in particular you'd like me to dig in there? P.S. I also discovered that if database is used (even if it just exists, may be it needs to have a CA, may be it doesn't), then CURLOPT_CAINFO is ignored, or at least the cert that is provided by it is no longer trusted. May be because the same cert is in the DB, and without the C flag. If it is the latter, it is probably still a problem, because if I say I need to trust cert X, there is no other way for me to do it (if it is a system database, for example). ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
