Building libcurl with nss support - libcurl

I built the 64-bit version of nss and am trying to use it to build the curl library using the --without-ssl and --with-nss=NSS_ROOT option.
During the configure stage, I see the following:
checking for PK11_CreateGenericObject in -lnss3... no
checking for NSS_Initialize in -lnss3... no
checking for ssl_version in -laxtls... no
configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss or --with-axtls to address this.
and finally libcurl is build without https support.
curl version: 7.25.0
Host setup: x86_64-unknown-linux-gnu
Install prefix: /usr/local
Compiler: gcc
SSL support: no (--with-{ssl,gnutls,nss,polarssl,cyassl,axtls} )
SSH support: no (--with-libssh2)
zlib support: enabled
krb4 support: no (--with-krb4*)
GSSAPI support: no (--with-gssapi)
SPNEGO support: no (--with-spnego)
TLS-SRP support: no (--enable-tls-srp)
resolver: default (--enable-ares / --enable-threaded-resolver)
ipv6 support: no (--enable-ipv6)
IDN support: no (--with-libidn)
Build libcurl: Shared=yes, Static=yes
Built-in manual: enabled
--libcurl option: enabled (--disable-libcurl-option)
Verbose errors: enabled (--disable-verbose)
SSPI support: no (--enable-sspi)
ca cert bundle: no
ca cert path: no
LDAP support: enabled (OpenLDAP)
LDAPS support: enabled
RTSP support: enabled
RTMP support: no (--with-librtmp)
Protocols: DICT FILE FTP GOPHER HTTP IMAP LDAP LDAPS POP3 RTSP SMTP TELNET TFTP
Can somebody tell me how to resolve this?

Had to set LD_LIBRARY_PATH to
nss-3.12.6/mozilla/dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/lib
to make it work.
Thanks,
Raj

Related

libcurl HTTPS enabled but not usable

For our project we build libcurl from scratch over cmake. The libcurl-configure-out.log tells me it enabled HTTPS (among others), heres the important part about that:
-- Enabled features: SSL IPv6 unixsockets AsynchDNS Largefile alt-svc HSTS NTLM HTTPS-proxy
-- Enabled protocols: DICT FILE FTP FTPS GOPHER GOPHERS HTTP HTTPS IMAP IMAPS LDAP MQTT POP3 POP3S RTSP SCP SFTP SMB SMBS SMTP SMTPS TELNET TFTP
-- Enabled SSL backends: OpenSSL
But when I try to set a TLS version in our code, it says "CURLE_NOT_BUILT_IN"
const CURLcode state = curl_easy_setopt(this->m_curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
// state == 4 aka "CURLE_NOT_BUILT_IN"
I also tried to verify over the curl executable, which kinda gives me the same impression
C:<snip>\build\ex_libcurl-prefix\src\ex_libcurl-build\src\Debug>curl.exe --version
curl 7.80.0 (Windows) libcurl/7.80.0 libssh2/1.10.0
Release-Date: 2021-12-10
Protocols: dict file ftp gopher http imap ldap mqtt pop3 rtsp scp sftp smb smtp telnet tftp
Features: AsynchDNS HSTS IPv6 Largefile NTLM UnixSockets alt-svc
Where did I go wrong?
Edit: Some more parts about SSL beeing enabled:
-- Found OpenSSL: optimized;C:/Program Files/OpenSSL-Win64/lib/VC/libcrypto64MD.lib;debug;C:/Program Files/OpenSSL-Win64/lib/VC/libcrypto64MDd.lib (found version "3.0.0")
-- Looking for openssl/crypto.h
-- Looking for openssl/crypto.h - found
-- Looking for cldap_open in wldap32;winmm;ws2_32;OpenSSL::SSL;OpenSSL::Crypto
-- Looking for cldap_open in wldap32;winmm;ws2_32;OpenSSL::SSL;OpenSSL::Crypto - found

Protocol https not supported or disabled in libcurl in Redhat Linux 8

I have an C++ application which is using curl 7.61.1 version.
while trying to connect to device using ssl I get this error:
"Protocol https not supported or disabled in libcurl"
although the default curl version installed in RHEL8 supports https
curl --version
curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1 zlib/1.2.11 brotli/1.0.6 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.3/openssl/zlib nghttp2/1.33.0
Release-Date: 2018-09-05
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink
please suggest how to configure/use curl with ssl in Redhat Linux 8

How to switch from docker-toolbox curl to the curl defined in windows path

I am installing the Platform specific binaries for hyperledger, but have a problem, since I have a windows device and am using docker-toolbox quickstart terminal.
The curl version installed on docker-toolbox is:
$ curl --version
curl 7.49.1 (x86_64-w64-mingw32) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.8 libidn/1.32 libssh2/1.7.0 nghttp2/1.11.1 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 Metalink
I installed the curl version 7.56 on my windows and added to the PATH. When I open the windows default terminal, the version is 7.56
How can I change the docker-quickstart curl to use my windows curl?
Reopening the quickstart terminal
I tried restarting the VM
Using sudo apt-get install curl inside the VM terminal, but it appears that there is no apt-get installed on the VM
Any ideas - the solution for the related question is insufficient, I want to have the latest curl
You will need to install the newer version of curl from the docker-toolbox quickstart terminal window.
Create a file named .bash_profile in your home directory (C:\Users\<username>) with this line of command:
PATH=/c/your/curl/path/bin:$PATH
If there are same binaries in many path, the one in the leftmost side of PATH variable will be excuted.
MinGW-w64 (used by Docker QuickStart Terminal) would prepend its path to the PATH variable when starting up so its path would be in the leftmost side of PATH variable. Therefore, MinGW-w64's curl be excuted instead of the one you originally defined in PATH variable.
.bash_profile file would be executed when starting MinGW-w64 (Docker QuickStart Terminal) so you can add above command to prepend the PATH variable in the file.

How to disable the dtls stuff in OpenSSL 1.0.2k?

I am trying to configure the OpenSSL 1.0.2k for windows.
According to https://wiki.openssl.org/index.php/Compilation_and_Installation, I can use
perl Configure VC-WIN32 no-asm no-dtls
But it shows me error unknown dtls command.
Can anyone help me please how to disable the DTLS in OpenSSL 1.0.2 branch.
The option you want in OpenSSL 1.0.2 is no-dtls1 (OpenSSL 1.1.0 has slightly different options in this area).
There is a bug for this option, so you will still see the unknown option - no-dtls1 message appear. However this is spurious. You can safely continue to build. You can confirm that DTLS has successfully been disabled by attempting to use it in s_server. It should complain because it doesn't understand the -dtls option:
cd out32dll
openssl s_server -dtls
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-verify_hostname host - check peer certificate matches "host"
-verify_email email - check peer certificate matches "email"
-verify_ip ipaddr - check peer certificate matches "ipaddr"
...
EDIT:
Note that a fix for the spurious unknown option - no-dtls1 warning message has been committed to the OpenSSL git repo here:
https://github.com/openssl/openssl/commit/1c5ebcd87822c2af4b8fdc23fa8b9a7201fb7097

Does Tomcat support TLS v1.2?

I want to know if Apache Tomcat supports TLS v1.2 protocol. I didn't find any documentation about this! Thanks!
I have a similar use case, which is to enable Tomcat 7 to strictly use only TLSv1.2, not to fall back to earlier SSL protocols such as TLSv1.1 or SSLv3. The following steps will answer how to enable Tomcat to support TLSv1.2.
I am using: C:\apache-tomcat-7.0.64-64bit and C:\Java64\jdk1.8.0_60.
Following this instruction: https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html. Tomcat is relatively simple to setup SSL support.
From many references I tested many combination, finally I found 1 which will enforce Tomcat 7 to accept TLSv1.2 only. 2 places needed to touch:
1) In C:\apache-tomcat-7.0.64-64bit\conf\server.xml
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="ssl/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" />
where
keystoreFile = local self-signed trust store
org.apache.coyote.http11.Http11Protocol = JSSE BIO implementation.
We don't use org.apache.coyote.http11.Http11AprProtocol, because it is powered by openssl. The underlying openssl will fall back to support earlier SSL protocols.
2) When start up Tomcat, enable the following environment parameters.
set JAVA_HOME=C:\Java64\jdk1.8.0_60
set PATH=%PATH%;C:\Java64\jdk1.8.0_60\bin
set CATALINA_HOME=C:\apache-tomcat-7.0.64-64bit
set JAVA_OPTS=-Djdk.tls.client.protocols="TLSv1.2" -Dsun.security.ssl.allowUnsafeRenegotiation=false -Dhttps.protocols="TLSv1.2"
JAVA_OPTS restriction is required, otherwise Tomcat (which is powered by Java8) will fall back to support earlier SSL protocols.
Start up Tomcat C:\apache-tomcat-7.0.64-64bit\bin\startup.bat
We can see JAVA_OPTS appears in Tomcat startup log.
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djdk.tls.client.protocols=TLSv1.2
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dsun.security.ssl.allowUnsafeRenegotiation=false
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dhttps.protocols=TLSv1.2
Then, we can use openssl command to verify our setup. First connect localhost:8443 with TLSv1.1 protocol. Tomcat refuses to reply with Server certificate.
C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_1
Loading 'screen' into random state - done
CONNECTED(000001C0)
5372:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
Connect localhost:8443 with TLSv1.2 protocol, Tomcat replies ServerHello with certificate:
C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_2
Loading 'screen' into random state - done
CONNECTED(000001C0)
depth=1 C = US, ST = Washington, L = Seattle, O = getaCert - www.getacert.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
1 s:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
(ignored)
-----END CERTIFICATE-----
subject=/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
issuer=/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2367 bytes and written 443 bytes
This proves that Tomcat now strictly respond to TLSv1.2 request only.
TLS version 1.2 is supported by the Oracle JDK version 7, in the JSSE implementation. As Tomcat uses JSSE as underlying SSL library, it should be supported from JDK version 1.7 onwards. Also check your enabled SSL cipher suites in Tomcat.
If you are using Apache as a proxy, please check the Apache and underlying OpenSSL documentation.
Some links:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html (Java SE 7 Security Enhancements)
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
As mentioned by others, Tomcat supports TLSv1.2 via the JSSE in JDK 7+.
Tomcat does NOT support TLSv1.1 or TLSv1.2 when used with Tomcat Native (APR). See https://issues.apache.org/bugzilla/show_bug.cgi?id=53952.
Update: looks like TLSv1.2 will finally be supported in Tomcat Native 1.1.32 and Tomcat 8.0.15/7.0.57.
I was also looking to upgrade sslProtocol to TLSv1.1 and as mentioned in the below links on Java6 and Java7
Java6
http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html
Java7
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
The SSLContext supported in Java6 are SSL, TLSv1 and in Java7 SSL, TLSv1, TLSv1.1 and TLSv1.2 are supported.
So, to enable TLSv1.1 or TLSv1.2 in tomcat, just upgrade to Java7 and change the sslProtocol in Connector in server.xml of tomcat.