I am getting gnutls specific errors in my Tornado webserver while processing Google OpenID SSL responses. One of the suggestions I got from Tornado mailing list is to try OpenSSL backend instead of gnutls. But it doesn't seem to be straightforward on Ubuntu server (11.10).
On Ubuntu server, gnutls is provided by libcurl3-gnutls package and openssl curl support is provided by libcurl4-openssl-dev package. (I don't know why the later is named 4 and dev, but I couldn't find any other openssl+curl package in apt-cache search).
I had libcurl3-gnutls installed by default, but not libcurl4-openssl-dev. So I installed the later and restarted Torando instances. But that didn't seem to work. I still got same gnutls errors.
I found old discussions on curl mailing lists regarding the problems of supporting different SSL backends to libcurl, but didn't find exactly how is it done today. So far my guess is openssl is built into libcurl and gnutls is provided through separate package (that will explain why there is no libcurl3-openssl). But how do I make libcurl to pick up openssl backend and not gnutls? Is there some option in libcurl/pycurl API to do this?
I tried uninstalling libcurl3-gnutls, but apt-get prompted that it will also remove python-pycurl along with it. So that won't do.
I saw a solution on Debian bug tracker.
I figured I'd post a workaround for people to fix the
python-pycurlpackage themselves.Note pycurl could have been updated so the name may not exactly be
pycurl_7.18.2-1.dscEdit thedebian/controlfile and replace all instances oflibcurl4-gnutls-devwithlibcurl4-openssl-devTo test just jump on the interpretor and look at the version.
It used to say:
It will now say (if you did everything right):
The reason just editing the debian/control file works here is because both
libcurl4-gnutls-devandlibcurl4-openssl-devuse the file/usr/bin/curl-configto build its packages. One is for gnutls enviroments while the other is for openssl.The
-devpackages are the development packages, they contain the library headers, used to develop and compile programs that use the library. They're usually not required by application binary packages (which are already compiled). Installinglibcurl4-openssl-devisn't enough to make the binary packages that have been built againstlibcurl3-gnutlsuse OpenSSL instead. It would only be useful for applications that you re-compile against it.The
python-pycurlpackage has a direct dependency onlibcurl3-gnutlsandlibgnutls26.Unless there are cURL-based packages for Ubuntu compiled against OpenSSL instead of GnuTLS in an alternative repository, you may have to build them yourself unfortunately.
This could be do in principle by downloading the source (
apt-get source python-pycurl, and related packages). You would have to go into the Debian packaging configuration files and change the options (usually passed to theconfigurescript which also configures theMakefiles before compilation) so as to change the compilation options, to use OpenSSL instead. You may also need to change the package description to limit disruption to the other packages, perhaps by using theprovide:directive to say that your package can replace the one packaged by Ubuntu.Remove the pycurl module and reinstall it using pip.
As far as I understand it, the package
libcurl3should offer OpenSSL support.