CloudFlare provides a nice protection from DDoS and other hacking activities, last year they even added a free UniverSSL package to all users. The problem began with the cURL ciphers on cloudflare-enabled websites. cURL does not successfully handshake with cloudflare servers with its default encryption algorithms.
Update: Recent update on cURL and nss libs have enabled curl to operate on CloudFlare-enabled web pages without doing anything. Git also works now.
I test my website out using openssl s_client.
openssl s_client -connect luxing.im:443
We could see the following output:
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...
OK so it is using ECDHE-RSA-AES128-GCM-SHA256 cipher to connect to my website.
Well, let’s try this:
curl https://luxing.im --cipher ecdhe_rsa_aes_128_gcm_sha_256
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
Huh. Strange isn’t it? With a LOT of searching, finally I got an answer from here, I added the suggested line to .curlrc in my home directory:
ciphers="rsa_aes_256_sha,rsa_aes_128_sha,dhe_rsa_aes_256_cbc_sha,dhe_rsa_aes_128_cbc_sha,rsa_aes_256_cbc_sha_256,rsa_aes_128_cbc_sha_256,dhe_rsa_aes_256_cbc_sha_256,dhe_rsa_aes_128_cbc_sha_256,rsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_gcm_sha_256"
Then try:
curl -v https://luxing.im
Yes, now my curl is working. Let’s see the output:
...
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
...
OK. It is actually using the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 algorithm, so forcing the cipher to use ecdhe_ecdsa_aes_128_gcm_sha_256 works.
My curl is:
curl -V
curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.4 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
And I am on Fedora 20+.
Note:
1. Debian/RHEL/CentOS series does not support this algorithm. You’ll have to create a ticket to CloudFlare support to discuss it with them.
2. According to this, git uses cURL to access https repositories but this workaround won’t help. Too bad.