Ubuntu – How to Change libcurl SSL Backend from GnuTLS to OpenSSL

curlgnutlsopensslsslUbuntu

I am getting gnutls specific errors in my Tornado webserver while processing Google OpenID SSL responses. One of the suggestions I got from Tornado mailing list is to try OpenSSL backend instead of gnutls. But it doesn't seem to be straightforward on Ubuntu server (11.10).

On Ubuntu server, gnutls is provided by libcurl3-gnutls package and openssl curl support is provided by libcurl4-openssl-dev package. (I don't know why the later is named 4 and dev, but I couldn't find any other openssl+curl package in apt-cache search).

I had libcurl3-gnutls installed by default, but not libcurl4-openssl-dev. So I installed the later and restarted Torando instances. But that didn't seem to work. I still got same gnutls errors.

I found old discussions on curl mailing lists regarding the problems of supporting different SSL backends to libcurl, but didn't find exactly how is it done today. So far my guess is openssl is built into libcurl and gnutls is provided through separate package (that will explain why there is no libcurl3-openssl). But how do I make libcurl to pick up openssl backend and not gnutls? Is there some option in libcurl/pycurl API to do this?

I tried uninstalling libcurl3-gnutls, but apt-get prompted that it will also remove python-pycurl along with it. So that won't do.

Best Answer

The -dev packages are the development packages, they contain the library headers, used to develop and compile programs that use the library. They're usually not required by application binary packages (which are already compiled). Installing libcurl4-openssl-dev isn't enough to make the binary packages that have been built against libcurl3-gnutls use OpenSSL instead. It would only be useful for applications that you re-compile against it.

The python-pycurl package has a direct dependency on libcurl3-gnutls and libgnutls26.

Unless there are cURL-based packages for Ubuntu compiled against OpenSSL instead of GnuTLS in an alternative repository, you may have to build them yourself unfortunately.

This could be do in principle by downloading the source (apt-get source python-pycurl, and related packages). You would have to go into the Debian packaging configuration files and change the options (usually passed to the configure script which also configures the Makefiles before compilation) so as to change the compilation options, to use OpenSSL instead. You may also need to change the package description to limit disruption to the other packages, perhaps by using the provide: directive to say that your package can replace the one packaged by Ubuntu.

Related Solutions

Ubuntu – Configuring PAM with pam_mount; getting a dlopen() with an HX_Init error

Also, it is worth noting in addition to my previous answer that pam_mount is included in the Ubuntu repository as libpam-mount.

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Best Answer

Related Solutions

Ubuntu – Configuring PAM with pam_mount; getting a dlopen() with an HX_Init error

SSL Certificate – How to Download SSL Certificate from a Website

Related Topic