Curl NSS / SSL error after update

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2















I use a custom internal authentication server. With the last round of updates it started having issues, apparently due to a change in the ciphers. This is on a CentOS6 box, fully updated.



curl https://crowd.test.org:8443 
--cacert /etc/pki/ca-trust/source/anchors/ca.crt
-vvv
* About to connect() to crowd.test.org port 8443 (#0)
* Trying 192.XXX.XXX.XXX... connected
* Connected to crowd.test.org (192.XXX.XXX.XXX) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/ca-trust/source/anchors/ca.crt
CApath: none
* NSS error -12173
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
You have mail in /var/mail/root


I checked with nmap and found a supported cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Checked this on the curl site and found the following does indeed work.



curl https://crowd.mydomain.org:8443 --cacert 
/etc/pki/ca-trust/source/anchors/ca2.crt
-vvv --tlsv1.0 --ciphers rsa_aes_128_sha


How do I correct this? I already used the downgrade method I'd traditionally use without success.



yum history 
yum history undo 106









share|improve this question


























    2















    I use a custom internal authentication server. With the last round of updates it started having issues, apparently due to a change in the ciphers. This is on a CentOS6 box, fully updated.



    curl https://crowd.test.org:8443 
    --cacert /etc/pki/ca-trust/source/anchors/ca.crt
    -vvv
    * About to connect() to crowd.test.org port 8443 (#0)
    * Trying 192.XXX.XXX.XXX... connected
    * Connected to crowd.test.org (192.XXX.XXX.XXX) port 8443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * CAfile: /etc/pki/ca-trust/source/anchors/ca.crt
    CApath: none
    * NSS error -12173
    * Closing connection #0
    * SSL connect error
    curl: (35) SSL connect error
    You have mail in /var/mail/root


    I checked with nmap and found a supported cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Checked this on the curl site and found the following does indeed work.



    curl https://crowd.mydomain.org:8443 --cacert 
    /etc/pki/ca-trust/source/anchors/ca2.crt
    -vvv --tlsv1.0 --ciphers rsa_aes_128_sha


    How do I correct this? I already used the downgrade method I'd traditionally use without success.



    yum history 
    yum history undo 106









    share|improve this question
























      2












      2








      2








      I use a custom internal authentication server. With the last round of updates it started having issues, apparently due to a change in the ciphers. This is on a CentOS6 box, fully updated.



      curl https://crowd.test.org:8443 
      --cacert /etc/pki/ca-trust/source/anchors/ca.crt
      -vvv
      * About to connect() to crowd.test.org port 8443 (#0)
      * Trying 192.XXX.XXX.XXX... connected
      * Connected to crowd.test.org (192.XXX.XXX.XXX) port 8443 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      * CAfile: /etc/pki/ca-trust/source/anchors/ca.crt
      CApath: none
      * NSS error -12173
      * Closing connection #0
      * SSL connect error
      curl: (35) SSL connect error
      You have mail in /var/mail/root


      I checked with nmap and found a supported cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Checked this on the curl site and found the following does indeed work.



      curl https://crowd.mydomain.org:8443 --cacert 
      /etc/pki/ca-trust/source/anchors/ca2.crt
      -vvv --tlsv1.0 --ciphers rsa_aes_128_sha


      How do I correct this? I already used the downgrade method I'd traditionally use without success.



      yum history 
      yum history undo 106









      share|improve this question














      I use a custom internal authentication server. With the last round of updates it started having issues, apparently due to a change in the ciphers. This is on a CentOS6 box, fully updated.



      curl https://crowd.test.org:8443 
      --cacert /etc/pki/ca-trust/source/anchors/ca.crt
      -vvv
      * About to connect() to crowd.test.org port 8443 (#0)
      * Trying 192.XXX.XXX.XXX... connected
      * Connected to crowd.test.org (192.XXX.XXX.XXX) port 8443 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      * CAfile: /etc/pki/ca-trust/source/anchors/ca.crt
      CApath: none
      * NSS error -12173
      * Closing connection #0
      * SSL connect error
      curl: (35) SSL connect error
      You have mail in /var/mail/root


      I checked with nmap and found a supported cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Checked this on the curl site and found the following does indeed work.



      curl https://crowd.mydomain.org:8443 --cacert 
      /etc/pki/ca-trust/source/anchors/ca2.crt
      -vvv --tlsv1.0 --ciphers rsa_aes_128_sha


      How do I correct this? I already used the downgrade method I'd traditionally use without success.



      yum history 
      yum history undo 106






      yum curl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 10 '17 at 14:26









      Tim BrighamTim Brigham

      5321619




      5321619




















          1 Answer
          1






          active

          oldest

          votes


















          0














          Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:



          SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173



          On the servers I've seen this error, that was indeed the case.






          share|improve this answer






















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f358123%2fcurl-nss-ssl-error-after-update%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:



            SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173



            On the servers I've seen this error, that was indeed the case.






            share|improve this answer



























              0














              Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:



              SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173



              On the servers I've seen this error, that was indeed the case.






              share|improve this answer

























                0












                0








                0







                Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:



                SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173



                On the servers I've seen this error, that was indeed the case.






                share|improve this answer













                Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:



                SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173



                On the servers I've seen this error, that was indeed the case.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jul 5 '17 at 18:57









                Chris AdamsChris Adams

                1012




                1012



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f358123%2fcurl-nss-ssl-error-after-update%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown






                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?