curl example on server SSL certificate

Curl use case for webdav access using SSL

Here is curl version:

$ curl -V
curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b
zlib/1.2.3 libidn/0.6.5
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

curl --ciphers ALL:NULL --show-error --connect-timeout 300 --max-time 3600 --capath $X509_CERT_DIR --cert $X509_USER_PROXY --key $X509_USER_PROXY \
 -L https://$StorageElement:2880/$Namespace/$SmallFile -o /tmp/$SmallFile  -3

But I got trouble when I was trying new curl version

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0
zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

I got Error message like below
* NSS error -5961
* Closing connection #0
* SSL connect error

curl: (35) SSL connect error

More detail, there has been some changes since 7.19.7, which started to use NSS.
http://curl.haxx.se/docs/sslcerts.html
But, I did not figure how properly use NSS for SSL connection

However, here is a new way.

curl --silent --show-error --cacert /tmp/curltest/<x509 proxy> --connect-timeout 300 --max-time 3600 --capath $X509_CERT_DIR --cert $X509_USER_PROXY --key $X509_USER_PROXY -L https://webdavpath -o /tmp/ddddd-https

Problem is solved, but question is still there, in document, I see

 --cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. 
The file may contain multiple CA certificates. The certificate(s) must be in PEM format.
If this option is used several times, the last one will be used.
 --capath (HTTPS) Tells curl to use the specified certificate directory to verify the peer.
The certificates must be in PEM format, and the directory must have been processed using
the c_rehash utility supplied with openssl. Certificate directories are not supported
under Windows (because c_rehash uses symbolink links to create them). Using --capath
can allow curl to make https connections much more efficiently than using --cacert if
the --cacert file contains many CA certificates. If this option is used several times,
the last one will be used.

So, --capath option is used to specify a directory containing the CA certs to verify the certs of remote servers that curl connects to, and --cacert, to use a single file which the CA certs are stored in. They should be doing the same function.

I tried to convert CA certs into CA bundle file, or add CA certs into NSS, but non of them worked.

So the use case is that capath is define to CA bundle and cacert is defined to user proxy to verify host cert