cURL support for CloudFlare-enabled websites

Posted byLuxing Huang Leave a comment on cURL support for CloudFlare-enabled websites

CloudFlare provides a nice protection from DDoS and other hacking activities, last year they even added a free UniverSSL package to all users. The problem began with the cURL ciphers on cloudflare-enabled websites. cURL does not successfully handshake with cloudflare servers with its default encryption algorithms.

Update: Recent update on cURL and nss libs have enabled curl to operate on CloudFlare-enabled web pages without doing anything. Git also works now.

I test my website out using openssl s_client.

openssl s_client -connect luxing.im:443

We could see the following output:

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...

OK so it is using ECDHE-RSA-AES128-GCM-SHA256 cipher to connect to my website.

Well, let’s try this:

curl https://luxing.im --cipher ecdhe_rsa_aes_128_gcm_sha_256

curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

Huh. Strange isn’t it? With a LOT of searching, finally I got an answer from here, I added the suggested line to .curlrc in my home directory:

 ciphers="rsa_aes_256_sha,rsa_aes_128_sha,dhe_rsa_aes_256_cbc_sha,dhe_rsa_aes_128_cbc_sha,rsa_aes_256_cbc_sha_256,rsa_aes_128_cbc_sha_256,dhe_rsa_aes_256_cbc_sha_256,dhe_rsa_aes_128_cbc_sha_256,rsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_gcm_sha_256"

Then try:

curl -v https://luxing.im

Yes, now my curl is working. Let’s see the output:

...
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
...

OK. It is actually using the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 algorithm, so forcing the cipher to use ecdhe_ecdsa_aes_128_gcm_sha_256 works.

My curl is:

curl -V
curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.4 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink

And I am on Fedora 20+.

Note:
1. Debian/RHEL/CentOS series does not support this algorithm. You’ll have to create a ticket to CloudFlare support to discuss it with them.
2. According to this, git uses cURL to access https repositories but this workaround won’t help. Too bad.

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.