libcurl + (NSS or openssl)

Steve Grubb sgrubb at redhat.com
Thu Oct 9 14:24:20 UTC 2008


On Wednesday 08 October 2008 18:34:40 Matt_Domsch at dell.com wrote:
> First, libcurl being built against nss.  Nss does not provide some
> functions which are necessary for NTLM authentication to succeed.  
> has defeatured the 'curl' application, rendering it useless in
> environments where users are behind an NTLM-authenticating proxy.  This
> bites me personally every day.  Yes, NTLM is based on MD4 which is
> insecure. Nevertheless, choice of corporate proxy servers is often
> beyond the reach of even the most senior Linux developers (aside from
> changing jobs...)

This appears to be bug:
https://bugzilla.redhat.com/show_bug.cgi?id=258481
or
https://bugzilla.redhat.com/show_bug.cgi?id=263241

I think that more effort needs to be put on these.


> Second, libcurl being built against nss.  OpenWSMAN has an eventing
> capability, but this uses libcurl, which in turn would use a feature of
> openssl. 

Which feature?

> But as libcurl is not built against openssl, the eventing capability at this
> point must be disabled in OpenWSMAN.  This capability will be important to
> the sblim-* systems management software stack which implements DMTF open
> standards.  I need to investigate further what the source of the problem
> here is. 

Yes, and please file a bug.


> Arguably, one should discover the missing functionalty from nss, and
> re-implement it so as to enable these functions.  However, as these
> functions do work if linked against openssl, I would prefer to see the
> expedient approach of linking libcurl against openssl again, and only
> release with it linked against nss once it is at feature parity for the
> functions used by software within Fedora.

If we didn't do this, you wouldn't have reported a problem and we wouldn't 
know something needs fixing. NSS has been accepted by LSB, so we need to 
press forward and make fixes. One could also say that openssl is not on 
feature parity with NSS, too.


> Can I ask that libcurl be rebuilt against openssl instead of nss for the
> time being?

I think we should identify what's broken and try to fix it.

Thanks,
-Steve




More information about the fedora-devel-list mailing list