ub3*_*t4r 6 ssl openssl curl tls poodle
我在使用 cURL 连接到由 CloudFlare 托管的网站时遇到问题。当我尝试使用 HTTPS(使用curl -v https://www.xxxxxx.com)连接到网站时,它说:
* About to connect() to www.xxxxxx.com port 443 (#0)
* Trying 2400:cb00:2048:1::681c:116e...
* Connected to www.xxxxxx.com (2400:cb00:2048:1::681c:116e) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Error in TLS handshake, trying SSLv3...
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.xxxxxx.com
> Accept: */*
>
* Connection died, retrying a fresh connect
* Closing connection 0
* Issue another request to this URL: 'https://www.xxxxxx.com'
* About to connect() to www.xxxxxx.com port 443 (#1)
* Trying 2400:cb00:2048:1::681c:116e...
* Connected to www.xxxxxx.com (2400:cb00:2048:1::681c:116e) port 443 (#1)
* TLS disabled due to previous handshake failure
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 1
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
我就这个问题联系了 CloudFlare,他们说这是因为 cURL 正在尝试使用 SSLv3 进行连接,他们因为 POODLE 漏洞而禁用了它。我可以在 FreeBSD 10 上连接 cURL v7.38.0 没有问题,但在 CentOS 6.5 上连接 cURL v7.29.0 不行。
如果是因为它试图连接到 SSLv3,那么如何在 cURL 上禁用 SSLv3?或者是别的什么?
看起来这个问题是由于 cURL 的版本不支持 ECC 256 位 SSL 证书和 ECDSA 签名算法(由 CloudFlare 使用)引起的。您可以通过运行以下命令来测试您的 cURL 版本是否支持这种加密:
curl -1IsS --ciphers ecdhe_ecdsa_aes_128_sha https://sslspdy.com
如果您收到以下信息,则您的 cURL 已过期:
curl: (59) Unknown cipher in list: ecdhe_ecdsa_aes_128_sha
否则,如果它连接并且不显示错误,则它是最新的。
由于 CentOS 似乎在将更新应用到其软件包之前彻底筛选了更新,因此很难说何时会修复此问题。解决这个问题的唯一方法是更新 cURL,通过-k或--insecure不起作用。
| 归档时间: |
|
| 查看次数: |
19494 次 |
| 最近记录: |