Difference between revisions of "Funny Curly things"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 32: Line 32:
 
  $ ./configure --with-ssl=/usr/include --without-nss
 
  $ ./configure --with-ssl=/usr/include --without-nss
 
  $ make
 
  $ make
 +
To verify that the right <tt>curl</tt>, and more importantly, <tt>libcurl.so</tt> were created I ran
 +
$ LD_LIBRARY_PATH=lib/.libs src/.libs/curl -V
 +
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.0 zlib/1.2.5
 +
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
 +
Features: IPv6 Largefile NTLM NTLM_WB SSL libz
  
 
==curl/NSS==
 
==curl/NSS==
Line 39: Line 44:
 
  $ ./configure --with-nss --without-ssl
 
  $ ./configure --with-nss --without-ssl
 
  $ make
 
  $ make
 +
To verify that the right <tt>curl</tt>, and more importantly, <tt>libcurl.so</tt> were created I ran
 +
$ LD_LIBRARY_PATH=lib/.libs src/.libs/curl -V
 +
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 NSS/3.12.10.0 zlib/1.2.5
 +
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
 +
Features: IPv6 Largefile NTLM NTLM_WB SSL libz
  
 
==curl/GnuTLS==
 
==curl/GnuTLS==
Line 44: Line 54:
 
  $ mv curl-7.22.0 curl-7.22.0-gnutls
 
  $ mv curl-7.22.0 curl-7.22.0-gnutls
 
  $ cd curl-7.22.0-gnutls
 
  $ cd curl-7.22.0-gnutls
  $ ./configure --with-gnutls=/usr/include --without-nss --without-ssl --disable-ntlm-wb
+
  $ ./configure --with-gnutls=/usr/include --without-nss --without-ssl
 
  $ make
 
  $ make
'''Note''': if I did not add <tt>--disable-ntlm-wb</tt> then the build failed in the linking phase
+
To verify that the right <tt>curl</tt>, and more importantly, <tt>libcurl.so</tt> were created I ran
 +
$ LD_LIBRARY_PATH=lib/.libs src/.libs/curl -V
 +
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 GnuTLS/2.8.6 zlib/1.2.5
 +
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
 +
Features: IPv6 Largefile NTLM NTLM_WB SSL libz
  
 
==curl/PolarSSL==
 
==curl/PolarSSL==
Line 52: Line 66:
 
  $ mv curl-7.22.0 curl-7.22.0-polarssl
 
  $ mv curl-7.22.0 curl-7.22.0-polarssl
 
  $ cd curl-7.22.0-polarssl
 
  $ cd curl-7.22.0-polarssl
  $ ./configure --with-polarssl=/usr/include --without-nss --without-ssl
+
  $ ./configure --with-polarssl=/usr/include --without-nss --without-ssl --disable-ntlm-wb
 
  $ make
 
  $ make
 +
'''Note''': if I did not add <tt>--disable-ntlm-wb</tt> then the build failed in the linking phase
  
 
+
To verify that the right <tt>curl</tt>, and more importantly, <tt>libcurl.so</tt> were created I ran
 +
$ LD_LIBRARY_PATH=lib/.libs src/.libs/curl -V
 +
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 PolarSSL zlib/1.2.5
 +
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
 +
Features: IPv6 Largefile SSL libz
  
  

Revision as of 14:07, 21 September 2011

Introduction

The curl tool is sometimes very handy to query grid services. For example, you can use curl to query the status of grid jobs, and in theory you could even submit a grid job using curl.

Starting with Fedora 12, RedHat has decided to change the way curl is built by default. As Fedora 12 is the 'baseline' for RedHat Enterprise Linux 6, this also affects the curl command in RHEL6, CentOS6 and Scientific Linux 6. In the past, curl was built and linked using the OpenSSL libraries. With Fedora 12+/RHEL6+, curl is now built and linked using the NSS library. This has an impact on how you can use curl to query different grid services.

The problem does not apply to grid services only, every site that requires a client-side certificate chain, that is, the client needs to present both a certificate and an intermediary key, is affected.

This page is the result of a comparison of the different SSL libraries that curl can be built against. The following SSL libraries were tested, using curl-7.22.0, which was the latest and greatest version of curl at the time of writing:

  • OpenSSL 1.0.0d
  • NSS 3.12.10
  • GnuTLS 2.8.6
  • PolarSSL 0.14.3

CA & sub-CA setup

- link to curl-ca tarball

Testing setup

- openssl s_server

Appendix: building curl

For completeness' sake this appendix lists how the different versions of curl were actually built.

All builds were done on a Fedora 14 x86_64 machine.

curl/OpenSSL

$ tar xzf curl-7.22.0.tar.gz
$ mv curl-7.22.0 curl-7.22.0-openssl
$ cd curl-7.22.0-openssl
$ ./configure --with-ssl=/usr/include --without-nss
$ make

To verify that the right curl, and more importantly, libcurl.so were created I ran

$ LD_LIBRARY_PATH=lib/.libs src/.libs/curl -V
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.0 zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz

curl/NSS

$ tar xzf curl-7.22.0.tar.gz
$ mv curl-7.22.0 curl-7.22.0-nss
$ cd curl-7.22.0-nss
$ ./configure --with-nss --without-ssl
$ make

To verify that the right curl, and more importantly, libcurl.so were created I ran

$ LD_LIBRARY_PATH=lib/.libs src/.libs/curl -V
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 NSS/3.12.10.0 zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz 

curl/GnuTLS

$ tar xzf curl-7.22.0.tar.gz
$ mv curl-7.22.0 curl-7.22.0-gnutls
$ cd curl-7.22.0-gnutls
$ ./configure --with-gnutls=/usr/include --without-nss --without-ssl
$ make

To verify that the right curl, and more importantly, libcurl.so were created I ran

$ LD_LIBRARY_PATH=lib/.libs src/.libs/curl -V
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 GnuTLS/2.8.6 zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz 

curl/PolarSSL

$ tar xzf curl-7.22.0.tar.gz
$ mv curl-7.22.0 curl-7.22.0-polarssl
$ cd curl-7.22.0-polarssl
$ ./configure --with-polarssl=/usr/include --without-nss --without-ssl --disable-ntlm-wb
$ make

Note: if I did not add --disable-ntlm-wb then the build failed in the linking phase

To verify that the right curl, and more importantly, libcurl.so were created I ran

$ LD_LIBRARY_PATH=lib/.libs src/.libs/curl -V
curl 7.22.0 (x86_64-unknown-linux-gnu) libcurl/7.22.0 PolarSSL zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IPv6 Largefile SSL libz 


The HEP VOs have an SGM role, usually of the form

 /Role=lcgadmin

However, in this HOWTO the VO vlemed was chosen as the example. This VO has a role

/Role=sgm

available, which gives users who possess that role the right to install software in the VO specific software area. To generate an SGM-proxy use

$ voms-proxy-init --voms vlemed:/vlemed/Role=sgm