[CentOS] fresh install of centos 7 and curl accessing some sites

Tue Mar 23 13:31:51 UTC 2021
sashk <b at sashk.xyz>

Hi,

I've run into an issue with  fresh install of CentOS 7. I used 
CentOS-7-x86_64-NetInstall-2009.iso to bootup and one of the mirrors to 
finish the setup. When I first logged in, had to install something from 
gitlab and download failed with an error "curl: (35) TCP connection 
reset by peer" and while in verbose mode, curl reports that "NSS error 
-5961 (PR_CONNECT_RESET_ERROR)".

When I go to existing CentOS system (same version, but installed much 
earlier), everything works as expected. I compared version of curl, nss 
and openssl -- they all match.

I quiet puzzled and have no idea what's going on (except it seems that 
curl doesn't know about ECDHE-RSA-AES128-GCM-SHA256 cipher, in this case.

What do I miss?

```

$ cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
$ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 
zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps 
pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL 
libz unix-sockets
$ curl -v https://about.gitlab.com
* About to connect() to about.gitlab.com port 443 (#0)
*   Trying 151.101.2.49...
* Connected to about.gitlab.com (151.101.2.49) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
   CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
$ curl -v --tlsv1.3 https://about.gitlab.com
* About to connect() to about.gitlab.com port 443 (#0)
*   Trying 151.101.194.49...
* Connected to about.gitlab.com (151.101.194.49) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
   CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
$ curl -v --tlsv1.2 https://about.gitlab.com
* About to connect() to about.gitlab.com port 443 (#0)
*   Trying 151.101.66.49...
* Connected to about.gitlab.com (151.101.66.49) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
   CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
$ openssl s_client -connect about.gitlab.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", 
CN = c.sni.fastly.net
verify return:1
---
Certificate chain
  0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=c.sni.fastly.net
    i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
  1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
    i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGETCCBPmgAwIBAgIMbzE9NHtvAS1nE+2MMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Fastly, 
Inc./CN=c.sni.fastly.net
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3320 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
     Session-ID: 
2935F1EC82151ABC0F853E64BFC433414AF00ECCFABBE32B57B40F4A44C3E043
     Session-ID-ctx:
     Master-Key: 
563BE1A9EB4D42B2A7D3CA8744066A0B0CB520DC4CB8365B970D97E343461E4D46CBC1535A6EBAB9D89FBA9324987E17
     Key-Arg   : None
     Krb5 Principal: None
     PSK identity: None
     PSK identity hint: None
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
     0000 - 1c 95 21 f7 8d df 11 44-3a f8 0d a0 81 2a e0 0c ..!....D:....*..
     0010 - b4 06 9d 90 03 a5 8e b7-3e d0 2e 4f c5 68 19 d0 ........>..O.h..
     0020 - d3 73 3b 0a d2 36 43 68-68 79 5d 68 b6 12 5c be .s;..6Chhy]h..\.
     0030 - 29 d2 df 43 4a b2 ac dd-ec e5 b3 13 1b 22 7a f9 )..CJ........"z.
     0040 - 50 40 b5 96 0d 2a c6 d9-17 1b 3c 2d 63 68 60 9f P at ...*....<-ch`.
     0050 - 84 10 08 81 6c bc 7b 2d-3f fc 48 6a 74 25 95 8a ....l.{-?.Hjt%..
     0060 - 0c 9b 82 4f ca 90 62 bd-8d e4 d5 58 f6 a9 d7 e6 ...O..b....X....
     0070 - 68 5c 47 81 d0 be a5 2e-f6 17 38 9b 0f a0 c1 5e h\G.......8....^
     0080 - 7e b5 71 30 19 30 34 63-47 2c bc 86 c6 48 ea 57 ~.q0.04cG,...H.W
     0090 - f3 e5 8c 1d 97 77 00 31-94 9f 5c f3 41 8d 4e c1 .....w.1..\.A.N.

     Start Time: 1616504968
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---
```


Thanks

-Sashk