Hello,
A good while back I had some code that needed to use the NSS CAs only (and not
the PEM ca-bundle file). I did this by symlinking libnssckbi.so into my nssdb
(so NSS would have the CA certs), and passing NULL for CURLOPT_CAINFO (so the
PEM file wouldn't be loaded). This worked fine on libcurl 7.21.0 and NSS
3.12.10.
I'm trying to update this code to run on a more up to date system (RHEL7, which
has libcurl 7.29.0 and NSS 3.15.4), but passing NULL for CURLOPT_CAINFO does
not seem to work any longer. The NSS part seems correct, and "certutil -d
/etc/pki/nssdb -L -h all" does in fact list all of the CAs. However, this
sample program does not work:
#include <curl/curl.h>
int main(int argc, char *argv[])
{
CURL *hnd;
hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_URL, "https://www.google.com";);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(hnd, CURLOPT_CAINFO, NULL);
curl_easy_perform(hnd);
curl_easy_cleanup(hnd);
return 0;
}
The error given is:
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
This sample program does work on the older libcurl and NSS.
Any thoughts? Again, the intent here is to use the NSS CAs and ignore the
ca-bundle.crt file.
David
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
