Description of problem: Upon upgrading from curl-7.18.2-9 to curl-7.19.4-1 pycurl with SSL sites has broken. I can make a single request to an SSL enabled site but all subsequent requests yield a traceback: Traceback (most recent call last): File "bin/pkgdb-client", line 255, in <module> failedPackages.update(add_edit_package(pkgdb, options)) File "bin/pkgdb-client", line 222, in add_edit_package groups=group_dict) File "/usr/lib/python2.6/site-packages/fedora/client/pkgdb.py", line 182, in add_edit_package auth=True, req_params=data) File "/usr/lib/python2.6/site-packages/fedora/client/baseclient.py", line 309, in send_request req_params = req_params, auth_params = auth_params) File "/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py", line 254, in send_request request.perform() pycurl.error: (60, 'Peer certificate cannot be authenticated with known CA certificates') Version-Release number of selected component (if applicable): curl-7.19.4-1 How reproducible: Always Steps to Reproduce: python from fedora.client import PackageDB pkgdb = PackageDB() data = pkgdb.send_request('/collections/id/8') data2 = pkgdb.send_request('/collections/id/8') Actual results: traceback: File "/usr/lib/python2.6/site-packages/fedora/client/baseclient.py", line 309, in send_request req_params = req_params, auth_params = auth_params) File "/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py", line 254, in send_request request.perform() pycurl.error: (60, 'Peer certificate cannot be authenticated with known CA certificates') Expected results: data and data2 contain the same information Additional info: I'll attach a simpler test case as soon as I can adapt some code
Created attachment 334183 [details] Simple test case Here's a simple test case. Note that if I don't clean up (with c.close() ) then this works but I have a huge memory leak (not sure if the memory leak exists when I call c.close() as I can't run many iterations yet). Additionally, when a curl object goes out of scope (like being created and used inside of a function), the curl object is being cleaned up and the same traceback results.
It appears that curl-7.19.4-easy-leak.patch is the culprit but I can also confirm that there is a memory leak in the test script without that patch applied. The memory leak without the patch also occurs with some simple C code. That C code does not show either problem (unable to authenticate the peer certificate or memory leak) when the patch is applied.
curl-7.19.4-easy-leak.patch has caused a regression in NSS support. NSS_Shutdown() is called indirectly by curl_easy_cleanup() and it unloads the libnsspem.so module. Once it is unloaded it can't be loaded any more. It seems like nss/pem bug. I am going to look at this issue next week. In the meantime jnovy will remove this patch.
The easy-leak patch is now dropped.
curl-7.19.4-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/curl-7.19.4-2.fc10
curl-7.19.4-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/curl-7.19.4-2.fc9
Regardless the strange nss/pem behavior I've discussed this patch at curl-library mailing list and considered it not good idea at all. There should be fixed the code using libcurl as the library works well if its users adhere to the API. At first I am going to write a patch fixing src/main.c.
curl-7.19.4-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.19.4-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This sill appears to be broken to me the test case gives: 1 1 2 Traceback (most recent call last): File "break-pycurl.py", line 11, in <module> c.perform() pycurl.error: (60, 'Peer certificate cannot be authenticated with known CA certificates') package versions: curl-7.19.4-3.fc10.i386 python-pycurl-7.18.2-1.fc10.i386 nss-3.12.2.0-4.fc10.i386
Version of the curl package is irrelevant while using pycurl. Please double-check version of the libcurl package: $ rpm -q libcurl It seems like the old curl library still survives on your system.
the rpm db got confused or something I reinstalled libcurl and it worked.