问题
Is it possible to ensure by a configuration parameter, that curl uses OpenSSL, and not NSS to retrieve https content? I need to ensure this, in order to enforce compliance with FIPS140-2, which RHEL6.2 has certified?
I think that answer is "no".
So I'll ask the follow-up here as well... Can I recompile curl to ensure that it uses libssl and not libnss? I've tried:
./configure --with-ssl --without-nss
and I still end up with a curl binary that dynamically links against libnss3.so.
[root@fips curl-7.19.7]# ldd /usr/bin/curl
linux-vdso.so.1 => (0x00007fffacbe8000)
libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x00007f5d8fe03000)
libidn.so.11 => /lib64/libidn.so.11 (0x00007f5d8fbd1000)
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f5d8f983000)
librt.so.1 => /lib64/librt.so.1 (0x00007f5d8f77b000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f5d8f537000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f5d8f250000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f5d8f024000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f5d8ee20000)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f5d8ebc2000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f5d8e828000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f5d8e624000)
libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x00007f5d8e3fb000)
libz.so.1 => /lib64/libz.so.1 (0x00007f5d8e1e5000)
libc.so.6 => /lib64/libc.so.6 (0x00007f5d8de52000)
liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f5d8dc42000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f5d8da28000)
libssl3.so => /usr/lib64/libssl3.so (0x00007f5d8d7f2000)
libsmime3.so => /usr/lib64/libsmime3.so (0x00007f5d8d5c5000)
---> libnss3.so => /usr/lib64/libnss3.so (0x00007f5d8d28a000)
---> libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f5d8d05f000)
libplds4.so => /lib64/libplds4.so (0x00007f5d8ce5a000)
libplc4.so => /lib64/libplc4.so (0x00007f5d8cc55000)
libnspr4.so => /lib64/libnspr4.so (0x00007f5d8ca18000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f5d8c7fd000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5d8c5e0000)
/lib64/ld-linux-x86-64.so.2 (0x00007f5d90062000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f5d8c3d5000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f5d8c1d1000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f5d8bf99000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f5d8bd7a000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007f5d8bb18000)
回答1:
Try:
./configure --with-ssl=/usr/include --without-nss
回答2:
I had the same problem. However if you go: ./configure --without-nss --with-ssl=/usr/lib64 it picks up the openssl library correctly and excludes nss. Some parts of libcurl will use nss (I don't know what) so ldd will report it linking with nss but that was not the problem in my case. I checked the install directory in /usr/lib64 and it still had the old libcurl library there. My copy was installed into /usr/lib/local/. So when I removed the ones in /usr/lib64 and replaced them with all the newly generated files it worked. SO I guess you could configure with --libdir=/usr/lib64 but you must remove the old libraries. Then I did ldconfig to reload them.
来源:https://stackoverflow.com/questions/16699868/how-can-i-ensure-that-curl-uses-openssl-and-not-nss