在cURL中禁用SSLv3?

Modified on: Sat, 30 Jun 2018 10:01:30 +0800

我在使用cURL连接到使用CloudFlare托管的网站时遇到问题。当我尝试使用HTTPS连接到网站时(使用curl -v https://www.xxxxxx.com),它说:

* About to connect() to www.xxxxxx.com port 443 (#0)
*   Trying 2400:cb00:2048:1::681c:116e...
* Connected to www.xxxxxx.com (2400:cb00:2048:1::681c:116e) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Error in TLS handshake, trying SSLv3...
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.xxxxxx.com
> Accept: */*
>
* Connection died, retrying a fresh connect
* Closing connection 0
* Issue another request to this URL: 'https://www.xxxxxx.com'
* About to connect() to www.xxxxxx.com port 443 (#1)
*   Trying 2400:cb00:2048:1::681c:116e...
* Connected to www.xxxxxx.com (2400:cb00:2048:1::681c:116e) port 443 (#1)
* TLS disabled due to previous handshake failure
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 1
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

我与CloudFlare就此问题进行了联系,他们说是因为cURL正在尝试使用SSLv3进行连接,并且由于POODLE漏洞而禁用了它。我可以在FreeBSD 10上连接cURL v7.38.0没有问题,但是在CentOS 6.5上没有与cURL v7.29.0连接。

如果是因为它试图连接到SSLv3,那么如何在cURL上禁用SSLv3?还是别的什么?

作者:ub3rst4r

最佳答案

看起来这个问题是由不支持ECC 256位SSL证书的cURL版本和ECDSA签名算法(由CloudFlare使用)引起的。您可以通过运行以下命令来测试您的cURL版本是否支持此加密:

curl -1IsS --ciphers ecdhe_ecdsa_aes_128_sha https://sslspdy.com

如果您得到以下内容,那么您的cURL已过期:

curl: (59) Unknown cipher in list: ecdhe_ecdsa_aes_128_sha

否则,如果它连接并且没有显示错误,那么它是最新的。

由于CentOS似乎在将更新应用到其软件包之前彻底筛选了更新,因此很难说何时将其修复。 ONLY解决此问题的方法是更新cURL,传递-k--insecure将无效。

作者:ub3rst4r

相关问答

添加新评论