Disable SSLv3 In cURL?

curl openssl ssl tls poodle
20,086

It looks like this problem is caused by the version of cURL not supporting ECC 256 bit SSL certificates and the ECDSA signature algorithm (which is used by CloudFlare). You can test to see if your version of cURL supports this encryption by running:

curl -1IsS --ciphers ecdhe_ecdsa_aes_128_sha https://sslspdy.com

If you get the following, then your cURL is out of date:

curl: (59) Unknown cipher in list: ecdhe_ecdsa_aes_128_sha

Otherwise, if it connects and doesn't display an error then it is up to date.

Since CentOS seems to thoroughly screen updates before they are applied to their packages, it's hard to say when this will be fixed. The ONLY way to get around this is by updating cURL, passing -k or --insecure won't work.

Share:
20,086

Related videos on Youtube

ub3rst4r
Author by

ub3rst4r

CEO and Founder of Little Apps. Our software programs include: Little Registry Cleaner Little Disk Cleaner Little Registry Optimizer Little Alarm Clock Little Software Stats All of our software is licensed under the GNU General Public License 3.

Updated on September 18, 2022

Comments

  • ub3rst4r
    ub3rst4r over 1 year

    I'm having a problem connecting to a website that is hosted with CloudFlare using cURL. When I try to connect to the website with HTTPS (using curl -v https://www.xxxxxx.com), it says:

    * About to connect() to www.xxxxxx.com port 443 (#0)
*   Trying 2400:cb00:2048:1::681c:116e...
* Connected to www.xxxxxx.com (2400:cb00:2048:1::681c:116e) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Error in TLS handshake, trying SSLv3...
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.xxxxxx.com
> Accept: */*
>
* Connection died, retrying a fresh connect
* Closing connection 0
* Issue another request to this URL: 'https://www.xxxxxx.com'
* About to connect() to www.xxxxxx.com port 443 (#1)
*   Trying 2400:cb00:2048:1::681c:116e...
* Connected to www.xxxxxx.com (2400:cb00:2048:1::681c:116e) port 443 (#1)
* TLS disabled due to previous handshake failure
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 1
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

    I contacted CloudFlare about this issue and they say its because cURL is trying to connect using SSLv3 and they disabled it because of the POODLE vulnerability. I'm able to connect with cURL v7.38.0 on FreeBSD 10 no problems, but not with cURL v7.29.0 on CentOS 6.5.

    If it is because it's trying to connect to SSLv3, then how do I disable SSLv3 on cURL? Or is it something else?

    • jordanm
      jordanm over 9 years
      Try upgrading nss.
    • Sreeraj
      Sreeraj over 9 years
      An equally important thing to do is to enable curl to use TLS. Your curl does not seem capable to handle TLS protocol which is why it fell back to SSLv3 in the first place. Disabling SSLv3 will leave with a curl that won't be able to make any kind of SSL connections since your don't seem to have TLS capability. I will update this thread/comment if I am able to find something.
  • Graham
    Graham over 9 years
    Note there are negotiation issues also. I.E. specifying the --ciphers as you do above works, but that's currently required
  • ub3rst4r
    ub3rst4r almost 9 years
    I'm running CentOS v7.1.1503 (with all updates up to July 15, 2015) and cURL works ONLY if --ciphers ecdhe_ecdsa_aes_128_sha is specified. Otherwise, it gives the error NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version /home/mohan/mesg
Ubuntu 16.04 openssl s_client write:errno=104
When I try to CURL a website I get SSL error
Curl: unable to get local issuer certificate. How to debug?
Laravel Guzzle : curl error 77 error setting certificate verify locations
/usr/local/ssl/lib/libcrypto.a: could not read symbols: Bad value
curl: RSA_padding_check_PKCS1_type_1:invalid padding
SSL certificate generated with OpenSSL not working on NSS
cURL says certificate is expired, Firefox disagrees
How force that all connections to my Apache use TLSv1.1 or TLSv1.2?