curl – Luxing Huang https://luxing.im Thoughs and things Sun, 12 Jun 2016 02:04:32 +0000 en-CA hourly 1 https://wordpress.org/?v=6.7.2 58771605 cURL support for CloudFlare-enabled websites https://luxing.im/curl-support-for-cloudflare-enabled-websites/ https://luxing.im/curl-support-for-cloudflare-enabled-websites/#respond Mon, 06 Apr 2015 12:05:22 +0000 https://luxing.im/?p=478 Continue reading "cURL support for CloudFlare-enabled websites"

]]> CloudFlare provides a nice protection from DDoS and other hacking activities, last year they even added a free UniverSSL package to all users. The problem began with the cURL ciphers on cloudflare-enabled websites. cURL does not successfully handshake with cloudflare servers with its default encryption algorithms.

Update: Recent update on cURL and nss libs have enabled curl to operate on CloudFlare-enabled web pages without doing anything. Git also works now.

I test my website out using openssl s_client.

openssl s_client -connect luxing.im:443

We could see the following output:

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...

OK so it is using ECDHE-RSA-AES128-GCM-SHA256 cipher to connect to my website.

Well, let’s try this:

curl https://luxing.im --cipher ecdhe_rsa_aes_128_gcm_sha_256

curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

Huh. Strange isn’t it? With a LOT of searching, finally I got an answer from here, I added the suggested line to .curlrc in my home directory:

 ciphers="rsa_aes_256_sha,rsa_aes_128_sha,dhe_rsa_aes_256_cbc_sha,dhe_rsa_aes_128_cbc_sha,rsa_aes_256_cbc_sha_256,rsa_aes_128_cbc_sha_256,dhe_rsa_aes_256_cbc_sha_256,dhe_rsa_aes_128_cbc_sha_256,rsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_gcm_sha_256"

Then try:

curl -v https://luxing.im

Yes, now my curl is working. Let’s see the output:

...
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
...

OK. It is actually using the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 algorithm, so forcing the cipher to use ecdhe_ecdsa_aes_128_gcm_sha_256 works.

My curl is:

curl -V
curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.4 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink

And I am on Fedora 20+.

Note:
1. Debian/RHEL/CentOS series does not support this algorithm. You’ll have to create a ticket to CloudFlare support to discuss it with them.
2. According to this, git uses cURL to access https repositories but this workaround won’t help. Too bad.

]]> https://luxing.im/curl-support-for-cloudflare-enabled-websites/feed/ 0 478