On Thursday, April 13 2023, Gabriel wrote: > Between 7.88.1-2 and 7.88.1-5, there was a change to where curl with > nss looks for loadable libraries: > > curl (7.88.1-4) unstable; urgency=medium > > * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch: > Prepend "/nss/" before the library name. > > Before the change to the load path, curl could find > /lib/x86_64-linux-gnu/libnssckbi.so but not > /lib/x86_64-linux-gnu/nss/libnsspem.so, after the change it's the > reverse. > > libnssckbi.so is enough to get a trust root (the mozilla certificate > store is compiled inside that library), whereas libnsspem.so > (1.0.8+1-1) isn't. > This makes it impossible to connect to https servers by default for > programs that use curl with NSS. > > Here is a way to test the regression: > debbisect -v --cache=./cache \ > > --depends=libcurl4-nss-dev,git,pkg-config,libssl-dev,ca-certificates,cargo,nss-plugin-pem,p11-kit-modules,strace > \ > 20230306T145638Z 20230306T203828Z \ > 'chroot "$1" bash -exuc " > git clone --depth 1 https://github.com/alexcrichton/curl-rust.git > cd curl-rust > time cargo fetch > time cargo build --offline --example https > strace -efile target/debug/examples/https >/dev/null > "'
Thanks for the detailed bug report. I was able to reproduce the problem successfully and prepared a fix. I'll upload the package tomorrow after the current one migrates to testing. Cheers, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible https://sergiodj.net/