Discussion:
libcurl 7.21.4 with NSS
v***@emc.com
2011-02-19 00:36:35 UTC
Permalink
I just managed to build libcurl 7.21.4 with NSS version 3.12.9. My test program works fine (connects to secured appserver that is running on remote machine) only when there is no /etc/pki/nssdb directory exists in the machine. Otherwise, I'm getting error "NSS error -8187", the NSS error 8187 means SEC_ERROR_INVALID_ARGS (Security library: invalid arguments). Here is more info

Trying xx.x.xx.xx...
connected

Connected to myserver.domain.com (xx.x.xx.xx) port 9302 (#0)

Initializing NSS with certpath: /etc/pki/nssdb

Unable to initialize NSS database

NSS error -8187

Closing connection #0

Problem with the SSL CA cert (path? access rights?)

Any ideas to resolve or workaround this issue?

Thanks
Valli
Kamil Dudka
2011-02-19 08:37:49 UTC
Permalink
Post by v***@emc.com
I just managed to build libcurl 7.21.4 with NSS version 3.12.9. My test
program works fine (connects to secured appserver that is running on remote
machine) only when there is no /etc/pki/nssdb directory exists in the
machine. Otherwise, I'm getting error "NSS error -8187", the NSS error 8187
means SEC_ERROR_INVALID_ARGS (Security library: invalid arguments). Here is
more info
Trying xx.x.xx.xx...
connected
Connected to myserver.domain.com (xx.x.xx.xx) port 9302 (#0)
Initializing NSS with certpath: /etc/pki/nssdb
Unable to initialize NSS database
NSS error -8187
Closing connection #0
Problem with the SSL CA cert (path? access rights?)
Any ideas to resolve or workaround this issue?
You can provide another path to NSS database by the SSL_DIR environment
variable. Alternatively, if /etc/pki/nssdb (the path is hardcoded) does
not exist, NSS starts with no database. But that's probably not what you
want to do. I suggest to create a new database:

# certutil -N -d PATH_TO_NSS_DATABASE

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

What system are you actually running on?

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
v***@emc.com
2011-02-19 18:56:23 UTC
Permalink
Thank you for quick reply.

I'm running on Linux. It seems that existing db at /etc/pki/nssdb is not compatible as the program works fine when I create new db using certutil and set environment variable SSL_DIR.

How do I make it working regardless of nssdb existence? Note that the program works fine when there is no /etc/pki/nssdb directory but it fails when there is a /etc/pki/nssdb.

Since I use following 2 CURL options, I don't really need to use cert db.

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);

Thank you for help...

-Valli

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Kamil Dudka
2011-02-19 19:19:21 UTC
Permalink
Post by v***@emc.com
I'm running on Linux. It seems that existing db at /etc/pki/nssdb is not
What distro? Did you have the /etc/pki/nssdb directory already there? What
was inside?
Post by v***@emc.com
compatible as the program works fine when I create new db using certutil
and set environment variable SSL_DIR.
How do I make it working regardless of nssdb existence? Note that the
program works fine when there is no /etc/pki/nssdb directory but it fails
when there is a /etc/pki/nssdb.
I don't think the current code allows to call NSS_NoDB_Init() in case the
directory /etc/pki/nssdb exists:

https://github.com/bagder/curl/blob/a40f58d/lib/nss.c#L917

I guess the SSL_DIR handling logic needs to be improved to cover these cases.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
v***@emc.com
2011-02-19 19:32:57 UTC
Permalink
Subject: Re: libcurl 7.21.4 with NSS
Post by Kamil Dudka
Post by v***@emc.com
I'm running on Linux. It seems that existing db at /etc/pki/nssdb is not
What distro? Did you have the /etc/pki/nssdb directory already there? What
was inside?

I have been trying with NSS 3.12.9 and curl 7.21.4 on RedHat Linux 2.6.18-194.el5PAE #1 SMP Tue Mar 16 22:00:21 EDT 2010 i686 i686 i386 GNU/Linux

The directory /etc/pki/nssdb contains 3 db files cert8.db, key3.db and secmod.db.
Post by Kamil Dudka
Post by v***@emc.com
compatible as the program works fine when I create new db using certutil
and set environment variable SSL_DIR.
How do I make it working regardless of nssdb existence? Note that the
program works fine when there is no /etc/pki/nssdb directory but it fails
when there is a /etc/pki/nssdb.
I don't think the current code allows to call NSS_NoDB_Init() in case the
https://github.com/bagder/curl/blob/a40f58d/lib/nss.c#L917
I guess the SSL_DIR handling logic needs to be improved to cover these cases.
Yes I've looked into the code. Is there a way to resolve/workaround 8187 error happens when the /etc/pki/nssdb exists?

Kamil


-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Kamil Dudka
2011-02-19 20:09:11 UTC
Permalink
Post by v***@emc.com
I have been trying with NSS 3.12.9 and curl 7.21.4 on RedHat Linux
2.6.18-194.el5PAE #1 SMP Tue Mar 16 22:00:21 EDT 2010 i686 i686 i386
GNU/Linux
The directory /etc/pki/nssdb contains 3 db files cert8.db, key3.db and secmod.db.
Then you have either corrupted NSS database, or the files are just
incompatible with the version of NSS libraries you are using. Is the
certutil tool happy with that database?

certutil -L -d /etc/pki/nssdb
Post by v***@emc.com
Yes I've looked into the code. Is there a way to resolve/workaround 8187
error happens when the /etc/pki/nssdb exists?
Yes, just create an empty one and pass its location to libcurl via SSL_DIR.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Loading...