curl: (35) Cannot communicate securely with peer: - Discuss

18 Oct 2014


      Hello
I am stumped. I am trying to us the kraxel qemu repository, it appears
the repository moved to secure server since then I have not been able to
configure this properly. https://www.kraxel.org/repos/jenkins/
I receive the following error when I try to use the repository 
    curl: (35) Cannot communicate securely with peer: no common encryption
algorithm(s).
I have discovered this problem on my fedora 20 computer, the fedora
mailing list will not accept my email, I am experiencing this problem
with curl on both my Centos and fedora systems.
I receive the same error with centos 7 minimal installation and fedora
20. What am I doing wrong, I have recently switch to the Fedora
platform, I have not read all the manuals but trying.
I have imported the gpg keys that Kraxel has posted on his blog using
rpm --import. I can only download file through my web browser. I was
going to clone his git repository and set up a local repository, bit git
report the same error. Which leads me to believe the problem is with my
certificates.
I have even tried the firefox-db2pem.sh, I am not sure it did anything.
Does curl need to be recompiled with nss support? Is there a package I
need to compile? nss 3.17.2 is installed, non of the man page work.
Looking deeper into the nss, 
    # certutil -L
    certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
I think there is something wrong with my nss certificates, but I have
run out of time. Any suggestions.
This is on a brand new installation Fedora 20 and Centos 7, I have not
had time to break anything.
The openssl command connect with the server, is
$ openssl s_client -connect www.kraxel.org:443
The curl output is posted below in fedora system the output for the
centos is the same with the exception of the curl and nss versions:
$ curl -v https://www.kraxel.org/repos/jenkins/repodata/repomd.xml
* Adding handle: conn: 0x6bea60
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x6bea60) send_pipe: 1, recv_pipe: 0
* About to connect() to www.kraxel.org port 443 (#0)
*   Trying 217.197.83.6...
* Connected to www.kraxel.org (217.197.83.6) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption
algorithm(s).
* Error in TLS handshake, trying SSLv3...
...
GET /repos/jenkins/repodata/repomd.xml HTTP/1.1
User-Agent: curl/7.32.0
Host: www.kraxel.org
Accept: */*
* Connection died, retrying a fresh connect
* Closing connection 0
* Issue another request to this URL:
'https://www.kraxel.org/repos/jenkins/repodata/repomd.xml'
* About to connect() to www.kraxel.org port 443 (#1)
*   Trying 217.197.83.6...
* Adding handle: conn: 0x6bea60
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 1 (0x6bea60) send_pipe: 1, recv_pipe: 0
* Connected to www.kraxel.org (217.197.83.6) port 443 (#1)
* TLS disabled due to previous handshake failure
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption
algorithm(s).
* Closing connection 1
curl: (35) Cannot communicate securely with peer: no common encryption
algorithm(s).