cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Cannot communicate securely with peer: no common encryption algorithm

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 02 Dec 2014 22:24:13 +0100

On Tuesday, December 02, 2014 12:29:44 Rhys Evans wrote:
> Hi
>
> Firstly thanks in advance for any help provided
>
> I am having an issue using curl on a specific website we host (but a third
> party app), I keep getting the following
>
> [root_at_01 user]# curl --version
> curl 7.39.0 (x86_64-redhat-linux-gnu) libcurl/7.39.0 NSS/3.16.2 Basic ECC
> zlib/1 Protocols: dict file ftp ftps gopher http https imap imaps ldap
> ldaps pop3 pop3s Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM
> NTLM_WB SSL libz Meta [root@01 user]# curl -vvv https://website
> * Rebuilt URL to: https://website/
> * Hostname was NOT found in DNS cache
> * Trying websiteip...
> * Connected to monitor.redclient.net (websiteip) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
> * Cannot communicate securely with peer: no common encryption algorithm(s).
> * Closing connection 0
> curl: (35) Cannot communicate securely with peer: no common encryption
> algorithm
>
> I am able to connect using openssl via openssl s_client -connect website:443
> this connects using TLS1.2 and ECDHE-RSA-AES256-GCM-SHA384
>
> The sites accepted ciphers are listed below
>
> Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
> Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
> Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
> Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
> Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
> Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>
> I am running Centos 7 (if I downgrade curl (to the dist version) I get the
> same issue)

Try to use the --tlsv1.2 option to select the required TLS version. The
original el7 version of (lib)curl does not enable TLS > 1.0 by default:

https://bugzilla.redhat.com/show_bug.cgi?id=994599

You can also try to manually select the cipher-suite by the --ciphers option
of curl. Have a look at the following patch -- the strings in the left column
can be used as the values for --ciphers:

https://github.com/bagder/curl/compare/4c599b9d2d...67061e3f4e

curl will tell you if the required cipher-suite is not implemented by NSS.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-12-02