Curl NSS / SSL error after update
Clash Royale CLAN TAG#URR8PPP
I use a custom internal authentication server. With the last round of updates it started having issues, apparently due to a change in the ciphers. This is on a CentOS6 box, fully updated.
curl https://crowd.test.org:8443
--cacert /etc/pki/ca-trust/source/anchors/ca.crt
-vvv
* About to connect() to crowd.test.org port 8443 (#0)
* Trying 192.XXX.XXX.XXX... connected
* Connected to crowd.test.org (192.XXX.XXX.XXX) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/ca-trust/source/anchors/ca.crt
CApath: none
* NSS error -12173
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
You have mail in /var/mail/root
I checked with nmap and found a supported cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Checked this on the curl site and found the following does indeed work.
curl https://crowd.mydomain.org:8443 --cacert
/etc/pki/ca-trust/source/anchors/ca2.crt
-vvv --tlsv1.0 --ciphers rsa_aes_128_sha
How do I correct this? I already used the downgrade method I'd traditionally use without success.
yum history
yum history undo 106
yum curl
add a comment |
I use a custom internal authentication server. With the last round of updates it started having issues, apparently due to a change in the ciphers. This is on a CentOS6 box, fully updated.
curl https://crowd.test.org:8443
--cacert /etc/pki/ca-trust/source/anchors/ca.crt
-vvv
* About to connect() to crowd.test.org port 8443 (#0)
* Trying 192.XXX.XXX.XXX... connected
* Connected to crowd.test.org (192.XXX.XXX.XXX) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/ca-trust/source/anchors/ca.crt
CApath: none
* NSS error -12173
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
You have mail in /var/mail/root
I checked with nmap and found a supported cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Checked this on the curl site and found the following does indeed work.
curl https://crowd.mydomain.org:8443 --cacert
/etc/pki/ca-trust/source/anchors/ca2.crt
-vvv --tlsv1.0 --ciphers rsa_aes_128_sha
How do I correct this? I already used the downgrade method I'd traditionally use without success.
yum history
yum history undo 106
yum curl
add a comment |
I use a custom internal authentication server. With the last round of updates it started having issues, apparently due to a change in the ciphers. This is on a CentOS6 box, fully updated.
curl https://crowd.test.org:8443
--cacert /etc/pki/ca-trust/source/anchors/ca.crt
-vvv
* About to connect() to crowd.test.org port 8443 (#0)
* Trying 192.XXX.XXX.XXX... connected
* Connected to crowd.test.org (192.XXX.XXX.XXX) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/ca-trust/source/anchors/ca.crt
CApath: none
* NSS error -12173
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
You have mail in /var/mail/root
I checked with nmap and found a supported cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Checked this on the curl site and found the following does indeed work.
curl https://crowd.mydomain.org:8443 --cacert
/etc/pki/ca-trust/source/anchors/ca2.crt
-vvv --tlsv1.0 --ciphers rsa_aes_128_sha
How do I correct this? I already used the downgrade method I'd traditionally use without success.
yum history
yum history undo 106
yum curl
I use a custom internal authentication server. With the last round of updates it started having issues, apparently due to a change in the ciphers. This is on a CentOS6 box, fully updated.
curl https://crowd.test.org:8443
--cacert /etc/pki/ca-trust/source/anchors/ca.crt
-vvv
* About to connect() to crowd.test.org port 8443 (#0)
* Trying 192.XXX.XXX.XXX... connected
* Connected to crowd.test.org (192.XXX.XXX.XXX) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/ca-trust/source/anchors/ca.crt
CApath: none
* NSS error -12173
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
You have mail in /var/mail/root
I checked with nmap and found a supported cipher, TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Checked this on the curl site and found the following does indeed work.
curl https://crowd.mydomain.org:8443 --cacert
/etc/pki/ca-trust/source/anchors/ca2.crt
-vvv --tlsv1.0 --ciphers rsa_aes_128_sha
How do I correct this? I already used the downgrade method I'd traditionally use without success.
yum history
yum history undo 106
yum curl
yum curl
asked Apr 10 '17 at 14:26
Tim BrighamTim Brigham
5321619
5321619
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173
On the servers I've seen this error, that was indeed the case.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f358123%2fcurl-nss-ssl-error-after-update%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173
On the servers I've seen this error, that was indeed the case.
add a comment |
Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173
On the servers I've seen this error, that was indeed the case.
add a comment |
Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173
On the servers I've seen this error, that was indeed the case.
Based on https://mozilla.github.io/python-nss-docs/nss.error-module.html it looks like that's a sign that the server has a weak ephemeral Diffie-Hellman key:
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = -12173
On the servers I've seen this error, that was indeed the case.
answered Jul 5 '17 at 18:57
Chris AdamsChris Adams
1012
1012
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f358123%2fcurl-nss-ssl-error-after-update%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown