[Nix-dev] curl SSL question
Sergey Mironov
grrwlf at gmail.com
Wed Dec 11 13:00:04 CET 2013
Hi. A questions to curl experts. I'm working with application which
uses libcurl to send https:// requests. For the security reasons
application enables both SSL_VERIFY* options
curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt(c, CURLOPT_SSL_VERIFYHOST, 2);
Unfortunately, curl refuses to start a conversation and errors out the
following:
* About to connect() to verifier.login.persona.org port 443 (#0)
* Trying 107.23.187.236...
* Adding handle: conn: 0x7f3714066e40
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f3714066e40) send_pipe: 1, recv_pipe: 0
* Connected to verifier.login.persona.org (107.23.187.236) port 443 (#0)
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
I looked into nix expression for curl and add
--with-ca-bundle=${cacert}/etc/ca-bundle.crt flag (see the commit
https://github.com/grwlf/nixpkgs/commit/a514f952d78420412442ed38ab7fa6a705eb26fe).
Unfortunately, nixos reports circular dependency conflict between curl
and cacert (because cacert uses curl to download the ca-bundle from
curl's website). So I also made a new version of curl named
`curl_cacert' which solved my issue.
The questions are:
- does anybody (except me) try sending https requests with libcurl?
How does it supposed to contact with ca-bundle.crt?
- Is this an openssl-specific problem? Does anybody try it with gnutls?
- Should we fix it? I think I can write the expression for tinycurl,
call it from cacert and then call cacert from 'normal' curl.
Regards,
Sergey
More information about the nix-dev
mailing list