[CentOS] curl: (35) Cannot communicate securely with peer:

Sat Oct 18 16:27:24 UTC 2014
Aaron Siegel <admin at siegel-tech.net>

Hello

I am stumped. I am trying to us the kraxel qemu repository, it appears
the repository moved to secure server since then I have not been able to
configure this properly. https://www.kraxel.org/repos/jenkins/
I receive the following error when I try to use the repository 
	curl: (35) Cannot communicate securely with peer: no common encryption
algorithm(s).

I have discovered this problem on my fedora 20 computer, the fedora
mailing list will not accept my email, I am experiencing this problem
with curl on both my Centos and fedora systems.  

I receive the same error with centos 7 minimal installation and fedora
20. What am I doing wrong, I have recently switch to the Fedora
platform, I have not read all the manuals but trying.

I have imported the gpg keys that Kraxel has posted on his blog using
rpm --import. I can only download file through my web browser. I was
going to clone his git repository and set up a local repository, bit git
report the same error. Which leads me to believe the problem is with my
certificates.

I have even tried the firefox-db2pem.sh, I am not sure it did anything.

Does curl need to be recompiled with nss support? Is there a package I
need to compile? nss 3.17.2 is installed, non of the man page work. 

Looking deeper into the nss, 
	# certutil -L
	certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.

I think there is something wrong with my nss certificates, but I have
run out of time. Any suggestions. 

This is on a brand new installation Fedora 20 and Centos 7, I have not
had time to break anything. 


The openssl command connect with the server, is
$ openssl s_client -connect www.kraxel.org:443

The curl output is posted below in fedora system the output for the
centos is the same with the exception of the curl and nss versions:

$ curl -v https://www.kraxel.org/repos/jenkins/repodata/repomd.xml

* Adding handle: conn: 0x6bea60
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x6bea60) send_pipe: 1, recv_pipe: 0
* About to connect() to www.kraxel.org port 443 (#0)
*   Trying 217.197.83.6...
* Connected to www.kraxel.org (217.197.83.6) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption
algorithm(s).
* Error in TLS handshake, trying SSLv3...
> GET /repos/jenkins/repodata/repomd.xml HTTP/1.1
> User-Agent: curl/7.32.0
> Host: www.kraxel.org
> Accept: */*
> 
* Connection died, retrying a fresh connect
* Closing connection 0
* Issue another request to this URL:
'https://www.kraxel.org/repos/jenkins/repodata/repomd.xml'
* About to connect() to www.kraxel.org port 443 (#1)
*   Trying 217.197.83.6...
* Adding handle: conn: 0x6bea60
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 1 (0x6bea60) send_pipe: 1, recv_pipe: 0
* Connected to www.kraxel.org (217.197.83.6) port 443 (#1)
* TLS disabled due to previous handshake failure
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption
algorithm(s).
* Closing connection 1
curl: (35) Cannot communicate securely with peer: no common encryption
algorithm(s).