Curl on Fedora does not accept Cloudflare https

Jeroen asked:

Using curl on a clean vanilla Fedora 21 to retrieve a site hosted via the cloudflare https service gives an error:

>> curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).


>> curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

This problem only appears on Fedora, not on Ubuntu or Mac running the same version of curl. I suppose it must be related to nns then:

curl --version
>> curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.3 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3

certutil -L
>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

Any guess to what I am doing wrong?

My answer:

The common factor with both of these sites is that they use ECC SSL certificates to secure their https connections, rather than the traditional RSA certificates used by most sites. These are currently very rare, but they are expected to increase in popularity in the future.

Both the versions of curl and NSS in use were built with ECC and therefore ought to support these certificates, so I think you’ve run into a bug in Fedora and should report it. A related bug was recently fixed in RHEL 7.

As a workaround, you can use wget instead of curl, which has no problem connecting to these sites (though the latter returns a 409 Conflict error).

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.