How to fix curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s)

Asked 29/6, 2015 at 4:33 Answered 17/1, 2018 at 5:37

I am trying to access and download some .torrent files from https://torrage.com using php curl. But nothing happens , curl_error($ch) gives

$ch = curl_init ('https://torrage.com/torrent/640FE84C613C17F663551D218689A64E8AEBEABE.torrent');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_VERBOSE,true);
$data = curl_exec($ch);
$error = curl_error($ch);
curl_close ($ch);
echo $error;

this gives.

Cannot communicate securely with peer: no common encryption algorithm(s).

If I try from shell like this

[root@prod1 yum.repos.d]# curl -I https://torrage.com
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

in verbose mode

[root@prod1 yum.repos.d]# curl -v https://torrage.com
* Rebuilt URL to: https://torrage.com/
*   Trying 81.17.30.48...
* Connected to torrage.com (81.17.30.48) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

system info centos 7. x86_64

[root@prod1 yum.repos.d]# uname -a
Linux prod1.localdomain 3.10.0-229.4.2.el7.x86_64 #1 SMP Wed May 13 10:06:09 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

curl version

[root@prod1 yum.repos.d]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu)

openssl , already patched.

[root@prod1 yum.repos.d]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jun 15 18:39:20 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic

verifying openssl patched or not.

[root@prod1 yum.repos.d]# rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

What i have tried :

1) i have tried using HTTP insted of HTTPS, but the site forces to use HTTPS. e.g.

[root@prod1 yum.repos.d]# curl -I http://torrage.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 04:13:17 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://torrage.com/

2) updating ca-bundle.crt

cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/
curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

3) Updating Curl to latest version 7.43.0

nano /etc/yum.repos.d/city-fan-for-curl.repo

with this repo.

[CityFanforCurl]
name=City Fan Repo
baseurl=http://www.city-fan.org/ftp/contrib/yum-repo/rhel7/x86_64/
enabled=0
gpgcheck=0

and then doing

yum update curl --enablerepo=CityFanforCurl

then verifying curl version

[root@prod1 yum.repos.d]# curl -V
curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.43.0 NSS/3.18 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.6.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets Metalink

4) i have tried this to check whether my curl is outdated or not.

reference: https://unix.stackexchange.com/questions/162816/disable-sslv3-in-curl

[root@prod1 yum.repos.d]# curl -1IsS --ciphers ecdhe_ecdsa_aes_128_sha https://sslspdy.com
HTTP/1.1 200 OK
Server: nginx centminmod
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubdomains
Date: Mon, 12 Jan 1970 23:00:11 GMT
X-Page-Speed: ngx_pagespeed
Cache-Control: max-age=0, no-cache

How can i fix the issue ? and download files from Torrage.com using PHP Curl ?

*I cant use file_get_contents as i am using curl_multi for simultaneous downloads.

Update 1:

As suggested by steffen-ullrich

[root@prod1 randoadmin]# curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 -I https://torrage.com
HTTP/1.1 200 OK
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 05:54:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 29 Jun 2015 05:50:40 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding, Accept-Encoding
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

but thats with shell how can i implement it with PHP-curl ?

Update 2:

i have modified code and defined cipher to use while using curl like this.

$ch = curl_init ('https://torrage.com/torrent/640FE84C613C17F663551D218689A64E8AEBEABE.torrent');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_rsa_aes_128_gcm_sha_256');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_VERBOSE,true);
$data = curl_exec($ch);
$error = curl_error($ch);
curl_close ($ch);
echo $error;
echo $data ;

Its working great. Issue solved many thanks to steffen-ullrich .

Shinbone answered 29/6, 2015 at 4:33 Comment(3)

Have you upgraded your openssl package as well? – Jurat 29/6, 2015 at 4:43

@Ja͢ck nope, i am trying it now. Thanks – Shinbone 29/6, 2015 at 4:44

@Ja͢ck yes, its already patched. just checked , ref: liquidweb.com/kb/… – Shinbone 29/6, 2015 at 4:48

The server supports only ECC ciphers (ECDHE-*). The version of curl is built with the NSS library on Redhat/CentOS. There is a bug report that Redhat/CentOS overrides the curl settings and disables ECC ciphers by default. Because there are thus no ECC ciphers offered by the client but only ECC ciphers are supported by the server the connection will fail.

You might try to explicitly give the cipher, i.e.

curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 ...

Note that upgrading OpenSSL would not help because curl is not built with the OpenSSL backend. Also it does not help to disable certificate validation (bad idea anyway) or to change the root CA's since the problem is not related to certificate validation at all.

Trying to explicitly give the cipher with --ciphers ecdhe_ecdsa_aes_128_sha as the cipher to solve the problem goes into the right direction but will not help in this case, because this is not one of the ciphers supported by the servers. The server supports only various ECDHE-RSA-* ciphers but not ECDHE-ECDSA-* ciphers. See SSLLabs for details.

Un answered 29/6, 2015 at 5:49 Comment(3)

Thanks , for your input, its very heavy for me understand the ciphers , but i am learning, so far its working on shell, but how can i define cipher in php curl request ? thanks – Shinbone 29/6, 2015 at 5:58

@AMB: If you use the documentation at php.net/manual/en/function.curl-setopt.php and you will find the CURLOPT_SSL_CIPHER_LIST setting. – Un 29/6, 2015 at 6:0

for me curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_rsa_aes_128_gcm_sha_256'); worked as it was a different torrent site. – Macpherson 21/12, 2015 at 6:8

If you're on CentOS 7 and are getting these errors while using yum, updating nss nss-util nss-sysinit nss-tools will fix it.

Warship answered 21/4, 2016 at 15:58 Comment(1)

After about 2 hours of debugging, setting multiple options for curl in my php page, you saved me. Thank you! If you are on a VPS and a curl command line call gives curl: (35) Cannot communicate securely with peer error, try above yum update, should help. command is : yum update nss nss-util nss-sysinit nss-tools – Phoebe 23/5, 2016 at 20:11

On Centos 7 or above upgrading the curl to the latest version i.e. 7.29.* fixed the issue for me.

Orate answered 17/1, 2018 at 5:37 Comment(1)

It has worked for me after trying above ciphers and nss update suggestions. – Kab 10/1, 2019 at 10:13

There is also possibility to check

on unix (hope win also):

> curl -v https://www.youtube.com > test.html

note: replace "https://www.youtube.com" with your domain with protocol

Directing output to test.html so we will only see wanted information on the screen

result:

* Rebuilt URL to: https://www.youtube.com/
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2404:6800:4005:80d::200e...
*   Trying 216.58.221.238...
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.youtube.com (2404:6800:4005:80d::200e) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS Unknown, Unknown (22):
} [data not shown]
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv2, Unknown (22):
} [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv2, Unknown (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv2, Unknown (22):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv2, Unknown (20):
{ [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv2, Unknown (22):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.com
*        start date: 2017-11-29 09:44:32 GMT
*        expire date: 2018-02-21 09:37:00 GMT
*        subjectAltName: www.youtube.com matched
*        issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*        SSL certificate verify ok.
* SSLv2, Unknown (23):
} [data not shown]
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: www.youtube.com
> Accept: */*
> 
* SSLv2, Unknown (23):
{ [data not shown]
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< X-XSS-Protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Expires: Tue, 27 Apr 1971 19:44:06 EST
< Strict-Transport-Security: max-age=31536000
< P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=uk for more info."
< Cache-Control: no-cache
< Date: Tue, 26 Dec 2017 12:26:21 GMT
* Server YouTube Frontend Proxy is not blacklisted
< Server: YouTube Frontend Proxy
< Set-Cookie: YSC=lkUUrudTNJM; path=/; domain=.youtube.com; httponly
< Set-Cookie: PREF=f1=50000000; path=/; domain=.youtube.com; expires=Mon, 27-Aug-2018 00:19:21 GMT
< Set-Cookie: VISITOR_INFO1_LIVE=Qo2rlICrfJM; path=/; domain=.youtube.com; expires=Mon, 27-Aug-2018 00:19:21 GMT; httponly
< Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35"
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< 
{ [data not shown]
100   152    0   152    0     0    114      0 --:--:--  0:00:01 --:--:--   114* SSLv2, Unknown (23):
{ [data not shown]
* SSLv2, Unknown (23):
{ [data not shown]
* SSLv2, Unknown (23):
{ [data not shown]
* SSLv2, Unknown (23):

.......... many-other-same-not-interesting-rows .........

{ [data not shown]
* SSLv2, Unknown (23):
{ [data not shown]
100  425k    0  425k    0     0   113k      0 --:--:--  0:00:03 --:--:--  113k
* Connection #0 to host www.youtube.com left intact

See:

* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256

and use:

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ECDHE-ECDSA-AES128-GCM-SHA256');

Riplex answered 26/12, 2017 at 12:30 Comment(1)

This is a good suggestion, but in general the cipher used by your test site (youtube.com) might not be supported by the target site. – Delanadelancey 24/6, 2019 at 18:17

-1

Neither of the above worked for me. I suspected it had to do with Curl version. Curl_version(); returned 7.29, while on the server I installed 7.49.1, which probably had those SSL issues fixed.

Suddenly I remembered about Cloudflare and disabled CDN just in case. Curl started working. Then I switched to PHP 7 and Curl started working even with Cloudflare CDN on. Curl_version(); started returning 7.49.1.

I don't know how that worked and what exactly happened, but after tireless hours of looking for the solution this was what I found.

Caldron answered 8/7, 2016 at 14:48 Comment(2)

While this might be valuable info, it is not an answer. – Musser 8/7, 2016 at 14:51

The answer is: when nothing of the above works, check Curl version and update it. Had this valuable info been here the day before yesterday, it would have saved me two days of my life. – Caldron 8/7, 2016 at 18:15

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags