There's a yum repo for qemu firmwares at https://kraxel.org/repos/jenkins . It's handy for testing UEFI support in the virt stack. Lately I can't use it on F20, because curl - which yum uses for fetching packages - can't talk to the server. It spits an error: curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s). F20's wget can get stuff from the server fine. Using -v, I can see curl's using its NSS backend (though ldd shows for some reason it's built against both nss and openssl). SSLlabs.com shows kraxel.org's cipher suite as: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 4096 bits (p: 512, g: 1, Ys: 512) FS 128 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 It also only supports TLS 1.2, but I think curl should support 1.2 in F20. I can see from comparing curl-7.32.0/lib/nss.c (F20) and curl-7.37.0/lib/vtls/nss.c (F21) that curl only got SHA256 cipher support between those releases some time; would it be possible to backport it to the F20 curl? Thanks!
FWIW I did try just patching the bits from curl 7.37's nss.c that enable the SHA256 ciphers into curl 7.32, it built it runs but it still won't connect to kraxel.org, and I can't specify the SHA256 ciphers with -ciphers on the command line (it says they're unknown). So I guess they may not be in F20's nss, even though it looks like it's a new enough version that it could have them. I'll look into it a bit more later.
(In reply to Adam Williamson (Red Hat) from comment #0) > curl: (35) Cannot communicate securely with peer: no common encryption > algorithm(s). TLS 1.2 is not enabled by default in curl/nss, see bug #994599 for details. > Using -v, I can see curl's using its NSS backend (though ldd shows for some > reason it's built against both nss and openssl). NSS is used mainly to implement TLS in libcurl. openssl gets leaded via libssh2, which uses openssl crypto to implement SCP/SFTP protocols. I can backport the options of (lib)curl to enable TLS 1.2, but I am afraid that it will not help to resolve the issue with yum. Changing libcurl's default in an already released Fedora seems risky, given the fact that we are about to drop the fallback to SSLv3 at the same time: http://thread.gmane.org/gmane.comp.web.curl.library/43887
I have enabled TLS 1.2 by default in Fedora 20 and by option in Fedora 19.
curl-7.29.0-26.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/curl-7.29.0-26.fc19
curl-7.32.0-16.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/curl-7.32.0-16.fc20
Enabling it as an option won't help yum in f19 immediately, will it? yum would have to adjust its use of curl?
Exactly. This update should not break working F19 installations whereas broken F19 installations can be fixed by upgrading to F20. In any case, the options added to enable new cipher-suites and TLS versions might be pretty useful to diagnostic issues like this.
Package curl-7.32.0-16.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing curl-7.32.0-16.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15706/curl-7.32.0-16.fc20 then log in and leave karma (feedback).
curl-7.32.0-16.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.37.0-11.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/curl-7.37.0-11.fc21
curl-7.32.0-17.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/curl-7.32.0-17.fc20
curl-7.29.0-27.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/curl-7.29.0-27.fc19
curl-7.32.0-17.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.37.0-11.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.29.0-27.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
I'm getting this error on fc21 when attempting to reach https://test.do: $ curl https://test.do curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s). $ rpm -q curl curl-7.37.0-12.fc21.x86_64 $ curl --version curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.3 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) ECDH 256 bits (eq. 3072 bits RSA) FS 112
(In reply to IanB from comment #16) > I'm getting this error on fc21 when attempting to reach https://test.do: > > $ curl https://test.do > curl: (35) Cannot communicate securely with peer: no common encryption > algorithm(s). It connects successfully if you enable the requested cipher-suite: $ curl -svo/dev/null --ciphers ecdhe_ecdsa_aes_128_gcm_sha_256 https://test.do * Rebuilt URL to: https://test.do/ * Trying 2400:cb00:2048:1::681c:182e... * connect to 2400:cb00:2048:1::681c:182e port 443 failed: Network is unreachable * Trying 2400:cb00:2048:1::681c:192e... * connect to 2400:cb00:2048:1::681c:192e port 443 failed: Network is unreachable * Trying 104.28.25.46... * Connected to test.do (104.28.25.46) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=sni39227.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated * start date: Oct 18 00:00:00 2014 GMT * expire date: Sep 30 23:59:59 2015 GMT * common name: sni39227.cloudflaressl.com * issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB > GET / HTTP/1.1 > User-Agent: curl/7.40.0 > Host: test.do > Accept: */* > < HTTP/1.1 200 OK < Server: cloudflare-nginx < Date: Wed, 14 Jan 2015 08:12:54 GMT < Content-Type: text/html;charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < Set-Cookie: __cfduid=d6e2c461df85d0a83e150ebe378eadaea1421223174; expires=Thu, 14-Jan-16 08:12:54 GMT; path=/; domain=.test.do; HttpOnly < Cache-Control: no-cache,no-store,must-revalidate < X-Hudson-Theme: default < Set-Cookie: JSESSIONID.ed7330dc=125ittf9euro417715g1ljvbo;Path=/;Secure;HttpOnly < Expires: Thu, 01 Jan 1970 00:00:00 GMT < X-Hudson: 1.395 < X-Jenkins: 1.594 < X-Jenkins-Session: 7b4bcba4 < X-Hudson-CLI-Port: 53595 < X-Jenkins-CLI-Port: 53595 < X-Jenkins-CLI2-Port: 53595 < X-Frame-Options: sameorigin < X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoY90flR67oYHcdawaNBM4t8grQmoqa0jSYZPGo+ZgMh6E0QR+32AcOHYmDGOF/pVLl9EDH/t6h9dFeHg0huPi/zIL1iGh9ZhK/ar4q4+IXLmLNnwwcJ6+CeGCShNVQ/kB8ilkNCX0IXqVBbXVntmX/CenUgqMeMNdSvIzD0k8oTolQ+zTATytF4vNYbwFOwuOYqFEy3gZuwPt1oH6+IyN+3Ey5ksc9H/ukedQ+fpu6RE8gWdVT7alro2XOpVEdg0FLNPmnVBqtWJr+OVaEGuzL5Ol+23HDeVGAuMCKZqpCyi79wy2wGbDZFcA4l1afrwVISOwRsfHo+jioZcJLEgbQIDAQAB < X-SSH-Endpoint: test.do:45609 < CF-RAY: 1a885f0694920583-PRG < { [2938 bytes data] * Connection #0 to host test.do left intact