CloudFlare provides a nice protection from DDoS and other hacking activities, last year they even added a free UniverSSL package to all users. The problem began with the cURL ciphers on cloudflare-enabled websites. cURL does not successfully handshake with cloudflare servers with its default encryption algorithms.
Update: Recent update on cURL and nss libs have enabled curl to operate on CloudFlare-enabled web pages without doing anything. Git also works now.
I test my website out using openssl s_client.
openssl s_client -connect luxing.im:443
We could see the following output:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
OK so it is using ECDHE-RSA-AES128-GCM-SHA256 cipher to connect to my website.
Well, let’s try this:
curl https://luxing.im --cipher ecdhe_rsa_aes_128_gcm_sha_256
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
Huh. Strange isn’t it? With a LOT of searching, finally I got an answer from here, I added the suggested line to .curlrc in my home directory:
curl -v https://luxing.im
Yes, now my curl is working. Let’s see the output:
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
OK. It is actually using the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 algorithm, so forcing the cipher to use ecdhe_ecdsa_aes_128_gcm_sha_256 works.
My curl is:
curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.4 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
And I am on Fedora 20+.
1. Debian/RHEL/CentOS series does not support this algorithm. You’ll have to create a ticket to CloudFlare support to discuss it with them.
2. According to this, git uses cURL to access https repositories but this workaround won’t help. Too bad.