Daniel,

I filed a ticket and AWS support reported us that they provide new curl package. The both curl binaries say it's 7.36.0 but the new one seems to be built with NSS 3.16 instead of 3.15.3.

NG: curl 7.36.0 (x86_64-redhat-linux-gnu) libcurl/7.36.0 NSS/3.15.3 zlib/1.2.5 libidn/1.18 libssh2/1.4.2
OK: curl 7.36.0 (x86_64-redhat-linux-gnu) libcurl/7.36.0 NSS/3.16 Basic ECC zlib/1.2.5 libidn/1.18 libssh2/1.4.2

Try to upgrade the curl package. So far it works fine for me.

---
** [bugs:#1360] SSL regression in 7.36.0 on Amazon Linux**
**Status:** open
**Created:** Wed Apr 16, 2014 01:50 AM UTC by Dan Rogers
**Last Updated:** Mon Apr 21, 2014 06:30 PM UTC
**Owner:** nobody
Upgrading CURL/libCURL from:
~~~~~~
# rpm -qi curl
Name        : curl
Version     : 7.35.0
Release     : 2.42.amzn1
Architecture: x86_64
Install Date: Thu 10 Apr 2014 08:20:19 PM PDT
Group       : Applications/Internet
Size        : 534216
License     : MIT
Signature   : RSA/SHA256, Wed 26 Feb 2014 04:51:24 PM PST, Key ID bcb4a85b21c0f39f
Source RPM  : curl-7.35.0-2.42.amzn1.src.rpm
Build Date  : Wed 26 Feb 2014 04:48:55 PM PST
Build Host  : build-31004.build
Relocations : (not relocatable)
Packager    : Amazon.com, Inc. <http://aws.amazon.com>
Vendor      : Amazon.com
URL         : http://curl.haxx.se/
Summary     : A utility for getting files from remote servers (FTP, HTTP, and others)
~~~~~~
To:
~~~~~~
# rpm -qi libcurl
Name        : libcurl
Version     : 7.36.0
Release     : 2.44.amzn1
Architecture: x86_64
Install Date: Tue 15 Apr 2014 11:40:58 AM PDT
Group       : Development/Libraries
Size        : 455304
License     : MIT
Signature   : RSA/SHA256, Tue 08 Apr 2014 07:21:43 PM PDT, Key ID bcb4a85b21c0f39f
Source RPM  : curl-7.36.0-2.44.amzn1.src.rpm
Build Date  : Tue 08 Apr 2014 03:25:45 PM PDT
Build Host  : build-31003.build
Relocations : (not relocatable)
Packager    : Amazon.com, Inc. <http://aws.amazon.com>
Vendor      : Amazon.com
URL         : http://curl.haxx.se/
Summary     : A library for getting files from web servers
~~~~~~
Results in the following error:
~~~~~~
# curl -v https://s3.amazonaws.com/extimg.popsugar.com/mnt/ephemeral/var/www/files/tmp/2014/04/15/899/netimgEHu6tgWYXxQ0
* Hostname was NOT found in DNS cache
*   Trying 205.251.242.187...
* Connected to s3.amazonaws.com (205.251.242.187) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -8127 (SEC_ERROR_NO_TOKEN)
* The security card or token does not exist, needs to be initialized, or has been removed.
* Closing connection 0
curl: (35) The security card or token does not exist, needs to be initialized, or has been removed.
~~~~~~
However, using SSLv3 works:
~~~~~~
# curl -3 -v https://s3.amazonaws.com/extimg.popsugar.com/mnt/ephemeral/var/www/files/tmp/2014/04/15/899/netimgEHu6tgWYXxQ0
* Hostname was NOT found in DNS cache
*   Trying 54.231.1.40...
* Connected to s3.amazonaws.com (54.231.1.40) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=s3.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
* 	start date: Apr 12 00:00:00 2014 GMT
* 	expire date: Apr 13 23:59:59 2015 GMT
* 	common name: s3.amazonaws.com
* 	issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
~~~~~~
Downgrading to curl 7.35.0 allows this to function again.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.