Curl: (35) Cannot Communicate Securely With Peer:
Hello
I am stumped. I am trying to us the kraxel qemu repository, it appears the repository moved to secure server since then I have not been able to configure this properly. https://www.kraxel.org/repos/jenkins/
I receive the following error when I try to use the repository curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
I have discovered this problem on my fedora 20 computer, the fedora mailing list will not accept my email, I am experiencing this problem with curl on both my CentOS and fedora systems.
I receive the same error with CentOS 7 minimal installation and fedora
20. What am I doing wrong, I have recently switch to the Fedora platform, I have not read all the manuals but trying.
I have imported the gpg keys that Kraxel has posted on his blog using rpm –import. I can only download file through my web browser. I was going to clone his git repository and set up a local repository, bit git report the same error. Which leads me to believe the problem is with my certificates.
I have even tried the firefox-db2pem.sh, I am not sure it did anything.
Does curl need to be recompiled with nss support? Is there a package I
need to compile? nss 3.17.2 is installed, non of the man page work.
Looking deeper into the nss,
# certutil -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
I think there is something wrong with my nss certificates, but I have run out of time. Any suggestions.
This is on a brand new installation Fedora 20 and CentOS 7, I have not had time to break anything.
The openssl command connect with the server, is
$ openssl s_client -connect www.kraxel.org:443
The curl output is posted below in fedora system the output for the CentOS is the same with the exception of the curl and nss versions:
$ curl -v https://www.kraxel.org/repos/jenkins/repodata/repomd.xml
* Adding handle: conn: 0x6bea60
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* – Conn 0 (0x6bea60) send_pipe: 1, recv_pipe: 0
* About to connect() to www.kraxel.org port 443 (#0)
* Trying 217.197.83.6…
* Connected to www.kraxel.org (217.197.83.6) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Error in TLS handshake, trying SSLv3…
* Connection died, retrying a fresh connect
* Closing connection 0
* Issue another request to this URL:
‘https://www.kraxel.org/repos/jenkins/repodata/repomd.xml’
* About to connect() to www.kraxel.org port 443 (#1)
* Trying 217.197.83.6…
* Adding handle: conn: 0x6bea60
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* – Conn 1 (0x6bea60) send_pipe: 1, recv_pipe: 0
* Connected to www.kraxel.org (217.197.83.6) port 443 (#1)
* TLS disabled due to previous handshake failure
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 1
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
2 thoughts on - Curl: (35) Cannot Communicate Securely With Peer:
Hello
I am stumped. I am trying to us the kraxel qemu repository, it appears the repository moved to secure server since then I have not been able to configure this properly. https://www.kraxel.org/repos/jenkins/
I receive the following error when I try to use the repository curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
I have discovered this problem on my fedora 20 computer, the fedora mailing list will not accept my email, I am experiencing this problem with curl on both my CentOS and fedora systems.
I receive the same error with CentOS 7 minimal installation and fedora
20. What am I doing wrong, I have recently switch to the Fedora platform, I have not read all the manuals but trying.
I have imported the gpg keys that Kraxel has posted on his blog using rpm –import. I can only download file through my web browser. I was going to clone his git repository and set up a local repository, bit git report the same error. Which leads me to believe the problem is with my certificates.
I have even tried the firefox-db2pem.sh, I am not sure it did anything.
Does curl need to be recompiled with nss support? Is there a package I
need to compile? nss 3.17.2 is installed, non of the man page work.
Looking deeper into the nss,
# certutil -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
I think there is something wrong with my nss certificates, but I have run out of time. Any suggestions.
This is on a brand new installation Fedora 20 and CentOS 7, I have not had time to break anything.
The openssl command connect with the server, is
$ openssl s_client -connect http://www.kraxel.org:443
The curl output is posted below in fedora system the output for the CentOS is the same with the exception of the curl and nss versions:
$ curl -v https://www.kraxel.org/repos/jenkins/repodata/repomd.xml
* Adding handle: conn: 0x6bea60
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* – Conn 0 (0x6bea60) send_pipe: 1, recv_pipe: 0
* About to connect() to http://www.kraxel.org port 443 (#0)
* Trying 217.197.83.6…
* Connected to http://www.kraxel.org (217.197.83.6) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Error in TLS handshake, trying SSLv3…
* Connection died, retrying a fresh connect
* Closing connection 0
* Issue another request to this URL:
‘https://www.kraxel.org/repos/jenkins/repodata/repomd.xml’
* About to connect() to http://www.kraxel.org port 443 (#1)
* Trying 217.197.83.6…
* Adding handle: conn: 0x6bea60
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* – Conn 1 (0x6bea60) send_pipe: 1, recv_pipe: 0
* Connected to http://www.kraxel.org (217.197.83.6) port 443 (#1)
* TLS disabled due to previous handshake failure
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 1
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
Reindl
Thank you for your post.
I am sorry for the second post, my transition to evolution is …
I like to have a better understanding of this problem before I open a bug report.
Looking at the report openssl 1.01h has the cipher which support http://www.kraxel.org certificate specifically the
OpenSSL 1.0.1h TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
FS
It appears my cipher, openssl 1.01e, accepts the certificate used by kraxel, the output of sslscan:
Accepted TLS12 256 ECDHE-RSA-AES256-GCM-SHA384
So why does this not work? Why would this be a bug if I just need to upgrade openssl to 1.01h from 1.01e?
Thank for your assistance,
Aaron