あめも

初心者インフラエンジニアの仕事や日常の事をそれとなく書いていくブログです

CentOS 7.1 curlでNSS error -12286が発生した時の話

CentOS 7.1でcurlを実行した時に、NSS error -12286エラーが出た時の話です


CentOS7.1にて発生しました。

[root@hoge ~]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)

エラー発生時のcurlのバージョンはこんな感じ

[root@hoge ~]# curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.15.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz

httpsのサイトへcurlを実行すると下のようなエラーが発生してしまいました(全てのサイトで発生した訳では無いです)

[root@hoge ~]# curl -v https://hogehoge.com/
* About to connect() to hogehoge.com port 443 (#0)
*   Trying xxx.xxx.xxx.xxx...
* Connected to hogehoge.com (xxx.xxx.xxx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

とりあえず、curlのupdateを実施

[root@hoge ~]# yum update curl

update後のcurlのバージョン

[root@hoge ~]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

update後にcurlコマンド実行するも、エラーに変化はありませんでした

[root@hoge ~]# curl -v https://hogehoge.com/
* About to connect() to hogehoge.com port 443 (#0)
*   Trying xxx.xxx.xxx.xxx...
* Connected to hogehoge.com (xxx.xxx.xxx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

エラー文字内にNSS errorと書いてあったので、ググるとNSSをupdateするとよいという記述があったので、updateを実施してみました

[root@hoge ~]# yum update nss

NSS update後のcurl -V(変わってないような...)

[root@hoge ~]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

NSSをupdateした後は無事にcurlの結果が返ってきました

[root@hoge ~]# curl -v https://hogehoge.com/
* About to connect() to hogehoge.com port 443 (#0)
*   Trying xxx.xxx.xxx.xxx...
* Connected to hogehoge.com (xxx.xxx.xxx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=hogehoge.com,OU=Domain Control Validated,C=JP
* 	start date:  2月 02 08:44:44 2018 GMT
* 	expire date:  2月 03 08:44:44 2019 GMT
* 	common name: hogehoge.com
* 	issuer: CN=GlobalSign Domain Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: hogehoge.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Cache-Control: max-age=0, private, must-revalidate
< X-XSS-Protection: 1; mode=block
< X-Request-Id: 0dfa2529-939d-433f-8263-fa55bdfe8da7
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Date: Mon, 02 Apr 2018 11:34:57 GMT
< Vary: Accept-Encoding,User-Agent,Cookie
< X-Cache: HIT
< Accept-Ranges: bytes
< Content-Length: 51430
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000