On Saturday, February 22, 2014 15:08:24 Alessandro Ghedini wrote:
> Hi all,
> I've been looking into ways to fix the no-PEM-certficates-with-libnss in
> The first solution that I tried was to use the libnsspem.so thingy from Red
> Hat , and it works I guess, but the problem is that it needs to be built
> as part of the libnss package, so it's a no-go for now.
>  https://git.fedorahosted.org/git/nss-pem.git
nss-pem is going to be included into the upstream distribution of nss.
Kai Engert is currently working on this.
> The other solution I tried was to use the p11-kit-trust.so module from the
> p11-kit project , which is already packaged for Debian. According to its
> documentation it should be a normal PKCS#11 module and a drop-in replacement
> for libnssckbi.so (whatever that means), so I simply replaced
> "libnsspem.so" with the path to it in libcurl sources to make libcurl use
>  http://p11-glue.freedesktop.org/
> The problem with the latter method is that, while libcurl loads the module
> correctly, it still doesn't work (that is, TLS connections fail because
> libcurl/libnss can't find a proper certificate):
> $ src/curl -v https://www.google.com
> * Initializing NSS with certpath: none
> * Closing connection 0
> * The cache now contains 0 members
> * Expire cleared
> curl: (77) Problem with the SSL CA cert (path? access rights?)
> So, is there anyone who knows how to make it work (myself being quite
> ignorant regarding libnss)? Alternative solutions are welcome as well.
> The whole point of this would be to have the libcurl nss flavour in Debian
> being actually useful "by default" (which means being able to use the
> default Debian CA certificates that are in PEM format), due to the recent
> GnuTLS license problems . Which means that I'm also interested in
> hearing opinions on OpenSSL vs GnuTLS vs NSS (is  up-to-date?) and also
> about having the nss flavour to be the default/only available version in
> Debian (I see that Red Hat has done the same thing, how did it go?).
>  https://lists.debian.org/debian-devel/2013/12/msg00329.html
>  http://curl.haxx.se/docs/ssl-compared.html
I am adding nss-pem-devel to CC. It is probably a more appropriate channel
for this discussion.
I have filedhttps://fedorahosted.org/nss-pem/ticket/4and attached a
patch to do some basic cleanup of libpem code.
This only addresses basic stuff that Bob pointed out in a previous
review upstream. The first of a small series of patches to tidy things
up somewhat and give Kai a cleaner code base from which he can do the
big work for libpem nss integration and submission upstream.