SSL Update

By:

SSL Update

We upgraded the agents with updated version of curl to better support testing sites with SSL and ciphers that were only supported  via command line options passed into curl.

A user reported that testing a site such as https://sslspdy.com would return an error

Cannot communicate securely with peer: no common encryption algorithm(s).

This is noted as a resolved issue in RHEL (curl does not support ECDSA certificates)  and unresolved in Fedora (NSS does not enable ECC cipher-suites by default)

and as summarized on this serverfault answer

The common factor with both of these sites is that they use ECC SSL certificates to secure their https connections, rather than the traditional RSA certificates used by most sites. These are currently very rare, but they are expected to increase in popularity in the future.

Both the versions of curl and NSS in use were built with ECC and therefore ought to support these certificates, so I think you’ve run into a bug in Fedora and should report it. A related bug was recently fixed in RHEL 7.

This is visible in a vanilla AWS AMI as well

  • Screen Shot 2015-09-29 at 4.11.23 PM

After updating to recent branch of curl and using –with-sssl this issue is resolved.   If you want to confirm on your account you can clone this simple url test – https://www.redline13.com/share/testplan/17947

Rebuilding Curl

For those that have this issue on their own servers or projects, we posted more of the details below.  If you want test on your own server and rebuild curl here are the quick steps we used for curl on centos, in my case standard AWS AMI.

#1 Get the parameters used to build your current CURL from the command line

sudo su
 yum install libcurl-devel
 curl-config --configure
// update options to use --with-ssl

#2 Some packages required

yum install git libtool openssl-devel gnutls-devel nss-devel libssh2-devel

#3 Going to need the source code

git clone https://github.com/bagder/curl.git
cd curl

#4 Configure and Build Steps

./buildconf
 ./configure  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-amazon-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-static' '--enable-symbol-hiding' '--enable-ipv6' '--enable-ldaps' '--enable-manual' '--enable-threaded-resolver' '--with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt' '--with-gssapi' '--with-libidn' '--with-libssh2' '--with-ssl' '--with-nss' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-amazon-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
 make
 make install

#5 Test

curl https://sslspdy.com

Screen Shot 2015-09-29 at 6.01.43 PM

Success.