Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 380119 - net-misc/curl-7.21.7-r2[nss] and dev-libs/nss-3.12.10: WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
Summary: net-misc/curl-7.21.7-r2[nss] and dev-libs/nss-3.12.10: WARNING: failed to loa...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Library (show other bugs)
Hardware: All Linux
: Normal normal with 2 votes (vote)
Assignee: Anthony Basile
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 387511
  Show dependency tree
 
Reported: 2011-08-21 17:32 UTC by Martin von Gagern
Modified: 2012-06-01 12:47 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info for curl (net-misc:curl-7.21.7-r2.emerge--info,6.76 KB, text/plain)
2011-08-21 17:32 UTC, Martin von Gagern
Details
Include pem-nss patch V5 info dev-libs/nss ebuild (gentoo380119a.patch,1.75 KB, patch)
2011-10-03 20:10 UTC, Martin von Gagern
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Martin von Gagern 2011-08-21 17:32:12 UTC
Created attachment 284131 [details]
emerge --info for curl

Using curl to load a pge over HTTPS will fail because curl cannot load PEM files for lack of a libnsspem.so.

$ curl -vo /dev/null https://bugs.gentoo.org/
* About to connect() to bugs.gentoo.org port 443 (#0)
*   Trying 94.100.119.165...   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0connected
* Connected to bugs.gentoo.org (94.100.119.165) port 443 (#0)
* Initializing NSS with certpath: none
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* Certificate is signed by an untrusted issuer: 'CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with given CA certificates
curl: (60) Peer certificate cannot be authenticated with given CA certificates
[...]

$ qlist -e nss | grep -F .so | grep -v /debug/ | sort
/usr/lib64/libfreebl3.so
/usr/lib64/libfreebl3.so.12
/usr/lib64/libnss3.so
/usr/lib64/libnss3.so.12
/usr/lib64/libnssckbi.so
/usr/lib64/libnssckbi.so.12
/usr/lib64/libnssdbm3.so
/usr/lib64/libnssdbm3.so.12
/usr/lib64/libnsssysinit.so
/usr/lib64/libnsssysinit.so.12
/usr/lib64/libnssutil3.so
/usr/lib64/libnssutil3.so.12
/usr/lib64/libsmime3.so
/usr/lib64/libsmime3.so.12
/usr/lib64/libsoftokn3.so
/usr/lib64/libsoftokn3.so.12
/usr/lib64/libssl3.so
/usr/lib64/libssl3.so.12

Also affects dev-vcs/bzr selftests: https://bugs.launchpad.net/bzr/+bug/829333
Comment 1 Martin von Gagern 2011-09-17 16:54:09 UTC
It appears to me that libnsspem.so is a library available mostly on RedHat and Fedora. One can obtain its sources from a suitable fedora nss source rpm, e.g. http://download.fedora.redhat.com/pub/fedora/linux/updates/15/SRPMS/nss-3.12.10-6.fc15.src.rpm which contains a file called nss-pem-20101125.tar.bz2 among others. I don't know of any more official sources.

https://bugzilla.mozilla.org/show_bug.cgi?id=402712 asks for that module being included into nss. The reporter of that bug, Rob Crittenden, appears to also be the main author of that module. A lengthy discussion follows, which I haven't read. Current state of affairs seems to be that there is a patch proposal, but mozilla devs aren't happy with it yet. Work is making slow progress, though.

As curl[ssl,nss] on Gentoo fails to open even a simple https connection from the command line, as described in comment #0, I'm not sure I would officially claim ssl support for it. So I see these solutions:

1. Add nss-pem to dev-libs/nss unconditionally.
   Then curl should imho depend on a recent nss version including nss-pem.
2. Add nss-pem to nss based on some USE flag.
   Then curl should imho depend on nss being built with that USE flag.
3. Add nss-pem as a separate package.
   Then curl should imho depend on that package as well as nss itself.
4. ewarn users that ssl support is limited when using nss as a backend.
5. Drop support for the nss backend, at least for now.

In case you persue solution #5, there is the problem that thunderbird-bin currently depends on curl[nss]. I personally believe that to be an error, and asked for clarification in bug #380135. Unfortunately, neither that reply nor personal conversations with the maintainer could really make things completely clear so far. My current understanding is that thunderbird-bin uses curl in its crash reporter, and requires ssl support to make it talk to mozilla servers. I still don't see why that should require USE=nss instead of simply USE=ssl.
Comment 2 Benedikt Reinartz 2011-09-18 04:39:18 UTC
This also affects git and in fact every other program, that depends on curl with ssl support, so it should be repaired soon.
Comment 3 Martin von Gagern 2011-10-03 20:10:57 UTC
Created attachment 288715 [details, diff]
Include pem-nss patch V5 info dev-libs/nss ebuild

This adds a USE flag called "pem" to the nss ebuild, applying the patch as it has been proposed upstream (named "Patch V5") and rejected there.
https://bug402712.bugzilla.mozilla.org/attachment.cgi?id=547097

Note however that this isn't enough to resolve this problem completely: the command from comment #0 will cause a segmentation fault.

Program received signal SIGSEGV, Segmentation fault.
in pem_mdInstance_GetSlots (mdInstance=0x7ffff486b6e0, 
    fwInstance=<optimized out>, slots=0x642db8) at pinst.c:751
751             slots[i] = pem_slots[i];
(gdb) p pem_slots
$1 = (NSSCKMDSlot **) 0x0
(gdb) bt
#0  0x00007ffff463b183 in pem_mdInstance_GetSlots (mdInstance=0x7ffff486b6e0, 
    fwInstance=<optimized out>, slots=0x642db8) at pinst.c:751
#1  0x00007ffff463f7e0 in nssCKFWInstance_Create (pInitArgs=0x7ffff64ba6c0, 
    LockingState=MultiThreaded, mdInstance=0x7ffff486b6e0, 
    pError=0x7fffffffc0b8) at instance.c:313
#2  0x00007ffff46450d5 in NSSCKFWC_Initialize (pFwInstance=0x7ffff486c530, 
    mdInstance=<optimized out>, pInitArgs=<optimized out>) at wrap.c:205
#3  0x00007ffff61cb4d0 in secmod_ModuleInit (mod=0x6421d0, 
    reload=0x7fffffffc250, alreadyLoaded=0x7fffffffc1fc) at pk11load.c:252
#4  0x00007ffff61cbb06 in secmod_LoadPKCS11Module (mod=0x6421d0, 
    oldModule=0x7fffffffc250) at pk11load.c:492
#5  0x00007ffff61d82f5 in SECMOD_LoadModule (
    modulespec=0x642040 "library=libnsspem.so name=PEM", parent=0x0, recurse=0)
    at pk11pars.c:1121
#6  0x00007ffff61d8549 in SECMOD_LoadUserModule (modulespec=<optimized out>, 
    parent=<optimized out>, recurse=<optimized out>) at pk11pars.c:1209
#7  0x00007ffff7d92687 in Curl_nss_connect (conn=0x62ccd0, sockindex=0)
    at nss.c:1214

So for some reason, the pem_slots variable isn't initialized. Haven't investigated this any further, just wanted to let you know that options 1 and 2 from the list in comment #1 probably aren't as easy as they sound.
Comment 4 Aaron Borden 2011-11-06 02:09:48 UTC
I see the same behavior in dev-libs/nss-3.12.11-r1
I would try to revert to 3.12.9, but firefox would have to be reverted to 3.6 :/


Portage 2.1.10.11 (default/linux/amd64/10.0/desktop/gnome, gcc-4.4.5, glibc-2.12.2-r0, 2.6.39-gentoo-r3 x86_64)
=================================================================
System uname: Linux-2.6.39-gentoo-r3-x86_64-AMD_Phenom-tm-_II_X4_965_Processor-with-gentoo-2.0.3
Timestamp of tree: Sat, 05 Nov 2011 10:00:01 +0000
app-shells/bash:          4.1_p9
dev-lang/python:          2.7.2-r3, 3.1.4-r3
dev-util/cmake:           2.8.4-r1
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.8.3-r1
sys-apps/sandbox:         2.4
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.4.5, 4.5.3-r1
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)
sys-libs/glibc:           2.12.2
Repositories: gentoo gnome
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=k8 -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=k8 -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en_US en"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/gnome"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acl acpi alsa amd64 avahi bluetooth branding bzip2 cairo caps cdda cdr cjk cli colord consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo exif fam fbcon firefox flac fortran fts3 gdbm gdu gif gnome gnome-keyring gpm gstreamer gtk hal iconv ipv6 jpeg lcms ldap libnotify lm_sensors mad mmx mmxext mng modules mono mp3 mp4 mpeg mudflap multilib nautilus ncurses nls nptl nptlonly ogg opengl openmp pam pango pcre pdf png policykit ppds pppd pulseaudio readline samba sdl session spell sqlite sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype udev unicode usb vorbis x264 xcb xinerama xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="canon" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 5 Martin von Gagern 2011-11-06 02:42:03 UTC
(In reply to comment #4)
> I see the same behavior in dev-libs/nss-3.12.11-r1

Could some maintainer please at least change this bug report to CONFIRMED?
It's been encountered by several people, and really easy to reproduce.

> I would try to revert to 3.12.9, but firefox would have to be reverted to 3.6

Afaik, no Gentoo version of curl really worked with nss. So downgrading isn't going to solve this issue here. I might be wrong, but I cannot imagine how. The version in the summary is only the one I've been using when I filed this bug, but very likely not the one to first introduce this bug. Your best bet is changing the ssl backend for curl to something other than nss.
Comment 6 Martin von Gagern 2011-12-01 17:11:26 UTC
(In reply to comment #1)
> In case you persue solution #5, there is the problem that thunderbird-bin
> currently depends on curl[nss] [...] bug #380135.

Note that Jory A. Pratt fixed thunderbird-bin starting at 8.0:
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/mail-client/thunderbird-bin/thunderbird-bin-8.0.ebuild?r1=1.1&r2=1.2

There are other packages depending on curl[nss], like net-libs/liboauth, but there the dependency is based on other USE flags, so there are configurations available which don't require curl being built against nss.

So seeing duplicates and possible duplicates pouring in (bug #387511, bug #389441), it would be really really nice if we could implement one of the options outlined in comment #1. Dropping the nss keyword for now would be easiest, and we could still re-add it later on when and if there is some decent PEM support.
Comment 7 Jory A. Pratt gentoo-dev 2012-03-25 03:44:06 UTC
* About to connect() to bugs.gentoo.org port 443 (#0)
*   Trying 94.100.119.170...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* connected
* Connected to bugs.gentoo.org (94.100.119.170) port 443 (#0)
* Initializing NSS with certpath: none
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=bugs.gentoo.org,OU=Gentoo Infrastructure,O="GENTOO Foundation, Inc.",L=Albuquerque,ST=New Mexico,C=US
* 	start date: Jun 20 01:43:02 2011 GMT
* 	expire date: Jun 19 01:43:02 2013 GMT
* 	common name: bugs.gentoo.org
* 	issuer: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
> GET / HTTP/1.1
> User-Agent: curl/7.25.0 (x86_64-pc-linux-gnu) libcurl/7.25.0 NSS/3.13.3.0 zlib/1.2.6
> Host: bugs.gentoo.org
> Accept: */*
> 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 200 OK
< Date: Sun, 25 Mar 2012 03:42:32 GMT
< Server: Apache
< X-frame-options: SAMEORIGIN
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
< 
{ [data not shown]
100 16293    0 16293    0     0  15179      0 --:--:--  0:00:01 --:--:-- 22660
* Connection #0 to host bugs.gentoo.org left intact
* Closing connection #0

Support is in the mozilla overlay, Until I get more testing and feedback it will not be merged to the tree. Please feel free to test and let us know your mileage.
Comment 8 Martin von Gagern 2012-03-25 11:11:05 UTC
(In reply to comment #7)
> Support is in the mozilla overlay,

It took me a while to notice that http://overlays.gentoo.org/proj/mozilla/ is outdated. Layman has the link to the current git overlay, browsable at
http://git.overlays.gentoo.org/gitweb/?p=proj/mozilla.git

> Until I get more testing and feedback it will not be merged to the tree.
> Please feel free to test and let us know your mileage.

I don't intend to activate that whole overlay just to give nss+pem some more testing. Could you call epatch_user in the ebuild prepare phase? Then I'd be willing to drop http://dev.gentoo.org/~anarchy/patches/nss-3.13.3_pem.support into my builds.

By the way, where does this patch come from, how does it relate to those attached to the upstream report? Have some of the concerns voiced by upstream reviewers been addressed?
Comment 9 Jory A. Pratt gentoo-dev 2012-06-01 12:47:17 UTC
nss-3.13.4 is stable for the majority of archs which includes pem support.