Created attachment 516913 [details] sample program demonstrating error Description of problem: See the attached program to a file on an https server with a self-signed certificate. Build and run the program. It will pass if either there is no /etc/pki/nssdb or if there are the expected files. It will fail whenever /etc/pki/nssdb is an empty directory, with: Problem with the SSL CA cert (path? access rights?) Expected results: as long as CURLOPT_SSL_VERIFYPEER is zero, contents of /etc/pki/nssdb should make no difference. Related: Anaconda bug 696696.
Please try to set $SSL_DIR to a non-directory. Does it solve the problem for Anaconda?
(In reply to comment #1) > Please try to set $SSL_DIR to a non-directory. Does it solve the problem for > Anaconda? I can reproduce this in F15 on a running system, this is not isolated to Anaconda (though it's a lot more plausible to have empty nssdb there). Answer is no: [akozumpl@aklab ~/projects/curltest]$ export SSL_DIR='/etc/vimrc' [akozumpl@aklab ~/projects/curltest]$ ./a.out Problem with the SSL CA cert (path? access rights?)
Any idea why I get a different result with your sample program? $ SSL_DIR=/etc/vimrc ./a.out $ SSL_DIR=/etc ./a.out Problem with the SSL CA cert (path? access rights?) My plan was to improve the certdir check to look for certain files as the check for the directory itself did not seem to be sufficient. Now it looks like there are some other problems involved?
(In reply to comment #3) > Any idea why I get a different result with your sample program? > > $ SSL_DIR=/etc/vimrc ./a.out > $ SSL_DIR=/etc ./a.out > Problem with the SSL CA cert (path? access rights?) > > My plan was to improve the certdir check to look for certain files as the check > for the directory itself did not seem to be sufficient. Now it looks like > there are some other problems involved? No clue, this is the output on my machine: [akozumpl@aklab ~/projects/curltest]$ SSL_DIR=/etc/vimrc ./a.out Problem with the SSL CA cert (path? access rights?) The versions are: curl-7.21.3-8.fc15.x86_64 libcurl-7.21.3-8.fc15.x86_64 libcurl-devel-7.21.3-8.fc15.x86_64 You probably are working closer to rawhide so it could make sense to do your fix there and let me retest in F16 Anaconda once the package reaches the repos?
Ales, you are right, the current handling of $SSL_DIR is stupid. If the given path is not a directory, it falls back to the built-in path (/etc/pki/nssdb) ... and if the built-in path is a directory with no valid NSS database, it breaks. As a workaround, you can set $SSL_DIR to a valid NSS database, which does not need to be the system one. I have proposed a patch upstream to initialize NSS with no database in case the selected database is broken: http://thread.gmane.org/gmane.comp.web.curl.library/32627
fixed in curl-7.21.7-3.fc17
curl-7.21.3-10.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/curl-7.21.3-10.fc15
curl-7.21.7-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/curl-7.21.7-3.fc16
Package curl-7.21.7-3.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing curl-7.21.7-3.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/curl-7.21.7-3.fc16 then log in and leave karma (feedback).
curl-7.21.7-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.21.3-11.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.