Discussion:
Cannot communicate securely with peer: no common encryption algorithm
Rhys Evans
2014-12-02 12:29:44 UTC
Permalink
Hi

Firstly thanks in advance for any help provided

I am having an issue using curl on a specific website we host (but a third party app), I keep getting the following

[***@01 user]# curl --version
curl 7.39.0 (x86_64-redhat-linux-gnu) libcurl/7.39.0 NSS/3.16.2 Basic ECC zlib/1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz Meta
[***@01 user]# curl -vvv https://website
* Rebuilt URL to: https://website/
* Hostname was NOT found in DNS cache
* Trying websiteip...
* Connected to monitor.redclient.net (websiteip) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm

I am able to connect using openssl via openssl s_client -connect website:443 this connects using TLS1.2 and ECDHE-RSA-AES256-GCM-SHA384

The sites accepted ciphers are listed below

Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256

I am running Centos 7 (if I downgrade curl (to the dist version) I get the same issue)

Any ideas as to why this doesn't work ?

Thanks

Rhys Evans
Technical Consultant

| Redblade Ltd | Tel: +44 ((0)33 3344 9898 | Fax: +44 (0)20 7735 1555 | Southbank House, Vauxhall, SE1 7SJ | www.redblade.co.uk<http://www.redblade.co.uk/> |

Redblade Ltd is a Limited Company, registered in England and Wales, no: 5821834 Registered Office: Southbank House, Black Prince Road, Vauxhall, London, SE1 7SJ This email and its content are subject to the disclaimer as displayed at the following link http://www.redblade.co.uk/disclaimer/
Kamil Dudka
2014-12-02 21:24:13 UTC
Permalink
Post by Rhys Evans
Hi
Firstly thanks in advance for any help provided
I am having an issue using curl on a specific website we host (but a third
party app), I keep getting the following
curl 7.39.0 (x86_64-redhat-linux-gnu) libcurl/7.39.0 NSS/3.16.2 Basic ECC
zlib/1 Protocols: dict file ftp ftps gopher http https imap imaps ldap
ldaps pop3 pop3s Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM
* Rebuilt URL to: https://website/
* Hostname was NOT found in DNS cache
* Trying websiteip...
* Connected to monitor.redclient.net (websiteip) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm
I am able to connect using openssl via openssl s_client -connect website:443
this connects using TLS1.2 and ECDHE-RSA-AES256-GCM-SHA384
The sites accepted ciphers are listed below
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
I am running Centos 7 (if I downgrade curl (to the dist version) I get the same issue)
Try to use the --tlsv1.2 option to select the required TLS version. The
original el7 version of (lib)curl does not enable TLS > 1.0 by default:

https://bugzilla.redhat.com/show_bug.cgi?id=994599

You can also try to manually select the cipher-suite by the --ciphers option
of curl. Have a look at the following patch -- the strings in the left column
can be used as the values for --ciphers:

https://github.com/bagder/curl/compare/4c599b9d2d...67061e3f4e

curl will tell you if the required cipher-suite is not implemented by NSS.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette
Rhys Evans
2014-12-02 23:52:49 UTC
Permalink
Hi

Thanks for the help, that does work if I specify the cipher

curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 -vvv https://website

I have created a .curlrc with the following in to workaround the issue for now

ciphers="rsa_aes_256_sha,rsa_aes_128_sha,dhe_rsa_aes_256_cbc_sha,dhe_rsa_aes_128_cbc_sha,rsa_aes_256_cbc_sha_256,rsa_aes_128_cbc_sha_256,dhe_rsa_aes_256_cbc_sha_256,dhe_rsa_aes_128_cbc_sha_256,rsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_gcm_sha_256"

Thanks for the help


-----Original Message-----
From: curl-users [mailto:curl-users-***@cool.haxx.se] On Behalf Of Kamil Dudka
Sent: 02 December 2014 21:24
To: Rhys Evans
Cc: curl-***@cool.haxx.se
Subject: Re: Cannot communicate securely with peer: no common encryption algorithm
Post by Rhys Evans
Hi
Firstly thanks in advance for any help provided
I am having an issue using curl on a specific website we host (but a
third party app), I keep getting the following
curl 7.39.0 (x86_64-redhat-linux-gnu) libcurl/7.39.0 NSS/3.16.2 Basic ECC
zlib/1 Protocols: dict file ftp ftps gopher http https imap imaps ldap
ldaps pop3 pop3s Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO
* Rebuilt URL to: https://website/
* Hostname was NOT found in DNS cache
* Trying websiteip...
* Connected to monitor.redclient.net (websiteip) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm
I am able to connect using openssl via openssl s_client -connect website:443
this connects using TLS1.2 and ECDHE-RSA-AES256-GCM-SHA384
The sites accepted ciphers are listed below
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
I am running Centos 7 (if I downgrade curl (to the dist version) I get the same issue)
Try to use the --tlsv1.2 option to select the required TLS version. The original el7 version of (lib)curl does not enable TLS > 1.0 by default:

https://bugzilla.redhat.com/show_bug.cgi?id=994599

You can also try to manually select the cipher-suite by the --ciphers option of curl. Have a look at the following patch -- the strings in the left column can be used as the values for --ciphers:

https://github.com/bagder/curl/compare/4c599b9d2d...67061e3f4e

curl will tell you if the required cipher-suite is not implemented by NSS.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html


Redblade Ltd is a Limited Company, registered in England and Wales, no: 5821834 Registered Office: Southbank House, Black Prince Road, Vauxhall, London, SE1 7SJ This email and its content are subject to the disclaimer as displayed at the following link http://www.redblade.co.uk/disclaimer/



-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.hax
Daniel Stenberg
2014-12-03 14:57:07 UTC
Permalink
Post by Rhys Evans
curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 -vvv https://website
FYI: one -v is enough. Adding more will not change anything.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/ma
Loading...