Hi, I've run into an issue with fresh install of CentOS 7. I used CentOS-7-x86_64-NetInstall-2009.iso to bootup and one of the mirrors to finish the setup. When I first logged in, had to install something from gitlab and download failed with an error "curl: (35) TCP connection reset by peer" and while in verbose mode, curl reports that "NSS error -5961 (PR_CONNECT_RESET_ERROR)". When I go to existing CentOS system (same version, but installed much earlier), everything works as expected. I compared version of curl, nss and openssl -- they all match. I quiet puzzled and have no idea what's going on (except it seems that curl doesn't know about ECDHE-RSA-AES128-GCM-SHA256 cipher, in this case. What do I miss? ``` $ cat /etc/centos-release CentOS Linux release 7.9.2009 (Core) $ curl --version curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets $ curl -v https://about.gitlab.com * About to connect() to about.gitlab.com port 443 (#0) * Trying 151.101.2.49... * Connected to about.gitlab.com (151.101.2.49) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5961 (PR_CONNECT_RESET_ERROR) * TCP connection reset by peer * Closing connection 0 curl: (35) TCP connection reset by peer $ curl -v --tlsv1.3 https://about.gitlab.com * About to connect() to about.gitlab.com port 443 (#0) * Trying 151.101.194.49... * Connected to about.gitlab.com (151.101.194.49) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5961 (PR_CONNECT_RESET_ERROR) * TCP connection reset by peer * Closing connection 0 curl: (35) TCP connection reset by peer $ curl -v --tlsv1.2 https://about.gitlab.com * About to connect() to about.gitlab.com port 443 (#0) * Trying 151.101.66.49... * Connected to about.gitlab.com (151.101.66.49) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5961 (PR_CONNECT_RESET_ERROR) * TCP connection reset by peer * Closing connection 0 curl: (35) TCP connection reset by peer $ openssl s_client -connect about.gitlab.com:443 CONNECTED(00000003) depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018 verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", CN = c.sni.fastly.net verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=c.sni.fastly.net i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018 i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign --- Server certificate -----BEGIN CERTIFICATE----- MIIGETCCBPmgAwIBAgIMbzE9NHtvAS1nE+2MMA0GCSqGSIb3DQEBCwUAMFAxCzAJ ... -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=c.sni.fastly.net issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3320 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 2935F1EC82151ABC0F853E64BFC433414AF00ECCFABBE32B57B40F4A44C3E043 Session-ID-ctx: Master-Key: 563BE1A9EB4D42B2A7D3CA8744066A0B0CB520DC4CB8365B970D97E343461E4D46CBC1535A6EBAB9D89FBA9324987E17 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 1c 95 21 f7 8d df 11 44-3a f8 0d a0 81 2a e0 0c ..!....D:....*.. 0010 - b4 06 9d 90 03 a5 8e b7-3e d0 2e 4f c5 68 19 d0 ........>..O.h.. 0020 - d3 73 3b 0a d2 36 43 68-68 79 5d 68 b6 12 5c be .s;..6Chhy]h..\. 0030 - 29 d2 df 43 4a b2 ac dd-ec e5 b3 13 1b 22 7a f9 )..CJ........"z. 0040 - 50 40 b5 96 0d 2a c6 d9-17 1b 3c 2d 63 68 60 9f P at ...*....<-ch`. 0050 - 84 10 08 81 6c bc 7b 2d-3f fc 48 6a 74 25 95 8a ....l.{-?.Hjt%.. 0060 - 0c 9b 82 4f ca 90 62 bd-8d e4 d5 58 f6 a9 d7 e6 ...O..b....X.... 0070 - 68 5c 47 81 d0 be a5 2e-f6 17 38 9b 0f a0 c1 5e h\G.......8....^ 0080 - 7e b5 71 30 19 30 34 63-47 2c bc 86 c6 48 ea 57 ~.q0.04cG,...H.W 0090 - f3 e5 8c 1d 97 77 00 31-94 9f 5c f3 41 8d 4e c1 .....w.1..\.A.N. Start Time: 1616504968 Timeout : 300 (sec) Verify return code: 0 (ok) --- ``` Thanks -Sashk