[Nix-dev] curl SSL question
Lluís Batlle i Rossell
viric at viric.name
Wed Dec 11 13:07:03 CET 2013
On Wed, Dec 11, 2013 at 04:00:04PM +0400, Sergey Mironov wrote:
> Hi. A questions to curl experts. I'm working with application which
> uses libcurl to send https:// requests. For the security reasons
> application enables both SSL_VERIFY* options
>
> curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, 1);
> curl_easy_setopt(c, CURLOPT_SSL_VERIFYHOST, 2);
>
> Unfortunately, curl refuses to start a conversation and errors out the
> following:
>
> * About to connect() to verifier.login.persona.org port 443 (#0)
> * Trying 107.23.187.236...
> * Adding handle: conn: 0x7f3714066e40
> * Adding handle: send: 0
> * Adding handle: recv: 0
> * Curl_addHandleToPipeline: length: 1
> * - Conn 0 (0x7f3714066e40) send_pipe: 1, recv_pipe: 0
> * Connected to verifier.login.persona.org (107.23.187.236) port 443 (#0)
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection 0
>
>
> I looked into nix expression for curl and add
> --with-ca-bundle=${cacert}/etc/ca-bundle.crt flag (see the commit
> https://github.com/grwlf/nixpkgs/commit/a514f952d78420412442ed38ab7fa6a705eb26fe).
> Unfortunately, nixos reports circular dependency conflict between curl
> and cacert (because cacert uses curl to download the ca-bundle from
> curl's website). So I also made a new version of curl named
> `curl_cacert' which solved my issue.
>
> The questions are:
> - does anybody (except me) try sending https requests with libcurl?
I do.
> How does it supposed to contact with ca-bundle.crt?
env var CURL_CA_BUNDLE
> - Is this an openssl-specific problem? Does anybody try it with gnutls?
It's a CURL thing. :)
More information about the nix-dev
mailing list