Re: NSS, CURLOPT_CAINFO, and using the NSS CAs

Kamil Dudka Mon, 28 Jul 2014 07:30:17 -0700

On Thursday, July 24, 2014 17:18:25 David Shaw wrote:
> Hello,
> 
> A good while back I had some code that needed to use the NSS CAs only (and
> not the PEM ca-bundle file).  I did this by symlinking libnssckbi.so into
> my nssdb (so NSS would have the CA certs),


I am not sure how this is supposed to work.  Is it documented anywhere?

> and passing NULL for
> CURLOPT_CAINFO (so the PEM file wouldn't be loaded).  This worked fine on
> libcurl 7.21.0 and NSS 3.12.10.
> 
> I'm trying to update this code to run on a more up to date system (RHEL7,
> which has libcurl 7.29.0 and NSS 3.15.4), but passing NULL for
> CURLOPT_CAINFO does not seem to work any longer.

I believe that the libcurl part still works.  If you pass NULL as
CURLOPT_CAINFO, it does not load CA certificates from file.

> The NSS part seems
> correct, and "certutil -d /etc/pki/nssdb -L -h all" does in fact list all
> of the CAs.  However, this sample program does not work:
> 
> #include <curl/curl.h>
> 
> int main(int argc, char *argv[])
> {
>   CURL *hnd;
> 
>   hnd = curl_easy_init();
>   curl_easy_setopt(hnd, CURLOPT_URL, "https://www.google.com";);
>   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
>   curl_easy_setopt(hnd, CURLOPT_CAINFO, NULL);
> 
>   curl_easy_perform(hnd);
> 
>   curl_easy_cleanup(hnd);
> 
>   return 0;
> }
> 
> The error given is:
> 
> * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
> * Peer's Certificate issuer is not recognized.
> 
> This sample program does work on the older libcurl and NSS.
> 
> Any thoughts?  Again, the intent here is to use the NSS CAs and ignore the
> ca-bundle.crt file.
> 
> David

I was able to connect using your example on RHEL-7 if I imported the CA
certificate into the NSS certificate database:

$ mkdir /tmp/nssdb
$ certutil -d /tmp/nssdb -N
$ certutil -d /tmp/nssdb -A -i /tmp/GeoTrustGlobalCA -t C,, -n GeoTrustGlobalCA
$ gcc -lcurl xxx.c
$ SSL_DIR=/tmp/nssdb ./a.out 
* About to connect() to www.google.com port 443 (#0)
*   Trying 2a00:1450:4009:809::1013...
* Network is unreachable
*   Trying 173.194.41.179...
* Connected to www.google.com (173.194.41.179) port 443 (#0)
* Initializing NSS with certpath: sql:/tmp/nssdb
*   CAfile: none
  CApath: none
* SSL connection using TLS_RSA_WITH_RC4_128_SHA
* Server certificate:
*       subject: CN=www.google.com,O=Google Inc,L=Mountain 
View,ST=California,C=US
*       start date: Jul 16 12:14:11 2014 GMT
*       expire date: Oct 14 00:00:00 2014 GMT
*       common name: www.google.com
*       issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
> GET / HTTP/1.1
Host: www.google.com
Accept: */*

< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Location: https://www.google.cz/?gfe_rd=cr&ei=B1zWU9O0G7DY8geO0YGgBQ
< Content-Length: 259
< Date: Mon, 28 Jul 2014 14:19:51 GMT
< Server: GFE/2.0
< Alternate-Protocol: 443:quic
< 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A 
HREF="https://www.google.cz/?gfe_rd=cr&amp;ei=B1zWU9O0G7DY8geO0YGgBQ";>here</A>.
</BODY></HTML>
* Connection #0 to host www.google.com left intact
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Re: NSS, CURLOPT_CAINFO, and using the NSS CAs

Reply via email to