Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743995 - net-misc/curl[nss]: 'WARNING: failed to load NSS PEM library libnsspem.so' with USE="nss openssl"
Summary: net-misc/curl[nss]: 'WARNING: failed to load NSS PEM library libnsspem.so' wi...
Status: RESOLVED DUPLICATE of bug 768912
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Anthony Basile
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-21 18:19 UTC by Sam James
Modified: 2021-02-08 16:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-21 18:19:53 UTC
Some users [0] are hitting problems involving NSS:
> $ curl https://github.com -v 
> *   Trying 13.236.229.21:443... 
> * Connected to github.com (13.236.229.21) port 443 (#0) 
> * Initializing NSS with certpath: none 
> * WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work. 
> *   CAfile: /etc/ssl/certs/ca-certificates.crt 
>  CApath: /etc/ssl/certs 
>* Closing connection 0 
>curl: (77) Problem with the SSL CA cert (path? access rights?)

Interestingly, USE="nss -openssl" CURL_SSL="nss" seems to *not* trigger this problem, while USE="nss openssl" CURL_SSL="nss" fails as above unless dev-libs/nss-pem is installed.

I assume there's some pkcs12 support provided by openssl which ends up being used, but not sure.

The curl docs which say:
>If libcurl was built with NSS support, then depending on the OS distribution, it is probably required to take some additional steps to use the system-wide CA cert db. RedHat ships with an additional module, libnsspem.so, which enables NSS to read the OpenSSL PEM CA bundle. On openSUSE you can install p11-kit-nss-trust which makes NSS use the system wide CA certificate store.

[0] https://curl.haxx.se/docs/sslcerts.html

[0] Forum post: https://forums.gentoo.org/viewtopic-p-8498190.html#8498190
[1] https://curl.haxx.se/docs/sslcerts.html
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-21 18:21:24 UTC
Note also that some deps like net-libs/liboauth are depending on CURL_SSL="nss" but they should be depending on USE=nss instead, as CURL_SSL just controls the default provider now.
Comment 2 Anthony Basile gentoo-dev 2021-02-08 16:20:46 UTC

*** This bug has been marked as a duplicate of bug 768912 ***