Bug 266021

Summary: curl + nss doesn't work
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: curlAssignee: Jindrich Novy <jnovy>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: rawhideCC: daniel, erik-fedora, katzj, kdudka, kengert, mtasaka, nicolas.mailhot, pknirsch, rcritten, rrelyea, rvokal, sgrubb, tmraz, tyasui, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-10 12:16:10 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235703    

Description Bill Nottingham 2007-08-29 21:44:30 EDT
Description of problem:

At least, not how it's used for 'make upload'.

Example:
curl -k --cert <your fedora cert> --fail -F name=<some package> -F md5sum=<some
md5sum> -F filename=<some file> https://cvs.fedoraproject.org/repo/pkgs/upload.cgi

With 7.16.4-2.fc8 (openssl) this works.

With 7.16.4-3.fc8 (NSS) this fails with a 403 error.

Version-Release number of selected component (if applicable):

7.16.4-3.fc8

How reproducible:

Every time!

Marking as Fedora 8 blocker since it makes building new packages hard. CC'ing
nss maintaner.
Comment 1 Jindrich Novy 2007-08-31 01:17:35 EDT
The problem could be caused by the fact, that curl is still configured to use
/etc/pki/tls/certs/ca-bundle.crt, is there an equivalent cert bundle provided by
nss? If yes, we can switch to use that one.

Daniel, is there needed to do something special except this to make the curl nss
support work as expected?

I can revert the nss switch immediatelly to make the source uploading work again
until we manage to make the nss support work.
Comment 2 Daniel Stenberg 2007-08-31 03:27:10 EDT
Rob Crittenden of Redhat is the one who brought the NSS support to (lib)curl and
I bet he knows far more than me about particular details such as this.

AFAIU, NSS uses a ca cert database file somewhere...
Comment 3 Tomas Mraz 2007-08-31 05:11:36 EDT
NSS uses its own cert db format. 
The workaround is (you need certutil and pkcs12util for that):

Create .nss subdir in your home:
mkdir ~/.nss

Init NSS db there (if you enter a password you'll need to add it to curl command
line):
certutil -N -d ~/.nss

Convert .fedora.cert to PKCS12 format:
openssl pkcs12 -export -in .fedora.cert -out .fedora.p12 -n <nickname>

Import PKCS12 into the NSS db:
pk12util -i .fedora.p12 -d ~/.nss

curl -k --cert <nickname> --cacert ~/.nss ...

If you initialized the NSS db with a password you'll have to add '--pass <the
password>' to the curl command line.
Comment 4 Tomas Mraz 2007-08-31 05:13:19 EDT
So basically - curl+NSS does work, but differently.
Comment 5 Tomas Mraz 2007-08-31 05:21:58 EDT
(In reply to comment #3)
> openssl pkcs12 -export -in .fedora.cert -out .fedora.p12 -n <nickname>
There is typo here - the last option is -name <nickname>
Comment 6 Jeremy Katz 2007-08-31 08:41:01 EDT
But requiring all of this means that curl has incompatibly changed with the
switch to nss.  And not for users of the libcurl API (which would be bad, but
not unheard of), but instead for people using the command-line program.  Which
kind of sucks 
Comment 7 Tomas Mraz 2007-08-31 08:58:34 EDT
I agree that it sucks.

The problem with OpenSSL->NSS conversion is that the philosophy behind the two
libraries is quite different so it is pretty hard to make the ported apps to
behave in 100% compatible way. The dependence on NSS cert db is something which
simply cannot be removed without thorough rewriting of NSS.

For loading the client cert from PEM file there is a PKCS#11 module in the works
but I don't know what is its current status and whether it will make it 100%
compatible with the OpenSSL way of loading client certs.

Also for the FIPS-140-2 Level 2 certification to be still valid there might be
some restrictions as to whether this mentioned module would be allowed or not.
Comment 8 Bob Relyea 2007-08-31 14:02:26 EDT
We should have a version of libcurl+nss that works with PEM files shortly. We
already solved the problem generally in nss_compat_ossl. Libcurl did the
conversion directly, though.

bob
Comment 9 Erik van Pienbroek 2007-09-01 12:40:05 EDT
The nss patch which was applied in curl-7.16.4-3.fc8 has also caused a program
of mine to stop working properly.

This program uses libcurl to retrieve a gzip-compressed http:// url, but the
decoding of the gzip data fails since curl-7.16.4-3.fc8. libcurl only returns
the compressed data instead of the expected decompressed data.
Comment 10 Jindrich Novy 2007-09-03 06:53:31 EDT
I reverted the default to use NSS back to OpenSSL to avoid breakages. We can
reenable it as soon as curl users will be prepared for it and a clear HOWTO will
be present.

I'm letting this bug open to track any changes in the NSS curl support so that
it could be enabled later.
Comment 11 Rob Crittenden 2007-09-04 22:02:28 EDT
For comment #9 if you aren't using SSL then this change should not affect you. 

I have 2 SRPMS ready for testing. This requires some changes to the nss package
to incorporate the PKCS#11 module needed for importing PEM files. I also wrote a
patch against the curl NSS module to change the command-line to load the PKCS#11
module and import PEM files. It should also work if you have an existing NSS
database and certificates/keys.

You can get the two SRPMS from: http://rcritten.fedorapeople.org/files/

To test the Fedora infrastructure once you've built and installed these, find or
create a file you want to upload to your project. In my case this is
nss_compat_ossl. Do an md5sum of the file, then run something like:

curl -k --cert ~/.fedora.cert --fail -F "name=nss_compat_ossl" -F
"md5sum=1dcca23355272056f04fe8bf20edfce0" -F "file=@test"
https://cvs.fedoraproject.org/repo/pkgs/upload.cgi

Here I'm uploading to nss_compat_ossl the file "test" with an md5sum of
1dcca23355272056f04fe8bf20edfce0.

The @ before the filename is important.

I tested with the -v argument to curl to get more output.

You have to use the -k argument because:

1. You probably don't have the CA that signed the cert installed
2. The certificate is expired (April 5, 2006!)
3. The CN of the certificate is cvs.fedora.redhat.com, not cvs.fedoraproject.org
Comment 12 Rob Crittenden 2007-09-10 08:27:58 EDT
Packages built in koji that address the problem:

nss-3.11.7-9
http://koji.fedoraproject.org/koji/buildinfo?buildID=18013

curl-7.16.4-5
http://koji.fedoraproject.org/koji/buildinfo?buildID=18049
Comment 13 Jindrich Novy 2007-09-10 12:16:10 EDT
Closing RAWHIDE as the NSS support in curl shouldn't break things and it's
enabled now. Please reopen if you see something odd with curl related to NSS.
Comment 14 Larry Troan 2010-08-30 14:53:20 EDT
*** Bug 570231 has been marked as a duplicate of this bug. ***