SSL certificate error connecting to github.com

curlssl

Starting today (or within the last few days) I've hit an SSL error when trying to connect to github.com (e.g. to clone a repository).

This is a legacy server running Red Hat 4.1.2-33.

Here's what it looks like when I try to connect:

$ curl https://www.github.com --verbose
* About to connect() to www.github.com port 443 (#0)
*   Trying 192.30.252.130... connected
* Connected to www.github.com (192.30.252.130) port 443 (#0)
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

I can see from this page that the NSS error code is:

"Cannot communicate securely with peer: no common encryption
algorithm(s)."

The local and remote systems share no cipher suites in common. This
can be due to a misconfiguration at either end. It can be due to a
server being misconfigured to use a non-RSA certificate with the RSA
key exchange algorithm.

If I'm putting this altogether right, it appears that github.com has a recently updated SSL certificate and my server doesn't have a cipher suite compatible with it. This is a legacy server so I'm not that surprised.

I've tried yum update nss (since that what curl seems to be using) as well as yum update openssl but none of those packages have updated.

I've also tried following the procedure outline here but to no avail.

I'm sort of hitting a wall with my knowledge of how TLS handshakes work to even troubleshoot this much deeper. Does anyone have any good ideas on how to start digging deeper and figuring out what's going wrong and where I need to update things? Upgrading the OS is for the time being not an option.

Update

Digging further, it appears to be an issue with libcurl and the cipher it is using when connecting to github.com via git. I can get curl to work if I specify a compatible cipher explicitly:

$ curl https://github.com --cipher rsa_aes_128_sha

And I can even add the --cipher rsa_aes_128_sha parameter to a .curlrc file and have curl use that cipher by default. Unfortunately, this doesn't seem to get picked up by the git command so it got me nowhere…nor could I find an alternate way to specify the cipher. This is what the result of a verbose git pull looks like on a github.com repository:

$ GIT_CURL_VERBOSE=1 git pull
* Couldn't find host github.com in the .netrc file, using defaults
* About to connect() to github.com port 443 (#0)
*   Trying 192.30.252.129... * Connected to github.com (192.30.252.129) port 443 (#0)
*   CAfile: /root/certs/cacert.pem
  CApath: none
* NSS error -12286
* Expire cleared
* Closing connection #0
* Couldn't find host github.com in the .netrc file, using defaults
* About to connect() to github.com port 443 (#0)
*   Trying 192.30.252.129... * Connected to github.com (192.30.252.129) port 443 (#0)
*   CAfile: /root/certs/cacert.pem
  CApath: none
* NSS error -12286
* Expire cleared
* Closing connection #0
error: SSL connect error while accessing https://github.com/twbs/bootstrap.git/info/refs
fatal: HTTP request failed

This might be a dead-end…looks like this guy on StackOverflow ran into the exact same issue.

Best Answer

SSL/TLS configuration today is driven by security considerations which have arisen in the past couple of years such as the BEAST and CRIME attacks, and the weakness of RC4, and which -- in some cases -- will result in some old clients being unable to communicate at all, since they don't support more modern protocols, cipher suites, etc. Even RHEL 5 clients occasionally have trouble communicating with RHEL 6 servers via SSL/TLS. With some work, you may be able to manually specify a cipher suite to use, but it's highly unlikely with something as old as RHEL4. This state of affairs makes upgrading your only real option.

Related Solutions

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

You should be able to use OpenSSL for your purpose:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.

(Note that "redundant" -servername parameter is necessary to make openssl do a request with SNI support.)

Curl SSL Certificate – How to Debug ‘Unable to Get Local Issuer Certificate’ in Curl

Using openssl s_client -connect thawte.com:443 shows:

---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Thawte, Inc./C=US/ST=California/L=Mountain View/businessCategory=Private Organization/serialNumber=3898261/OU=Infrastructure Operations/CN=www.thawte.com
   i:/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA
 1 s:/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
---

That last "i" shows the issuing self-signed root CA. I'm guessing that that particular Thawte root CA, _i.e. the Primary Root CA - G3 cert, is not in your /etc/ssl/certs directory (as stated in the curl output; openssl s_client does not have a default CA path, and needs to given one explicitly, e.g. -CApath /etc/ssl/certs).

Adding that certificate explicitly to your /etc/ssl/certs directory (and re-running c_rehash) certainly wouldn't hurt. And if it works, e.g. as verified using openssl s_client -connect example.com:443 -CApath /etc/ssl/certs, then you know that that update-ca-certificates command may need some examination/debugging, as to why it hadn't picked up this root CA.

Now, it may be that the above root CA is already in your /etc/ssl/certs directory, and the above steps had no effect. In that case, there are two other issuing CA certs to check (at least in the cert chain offered by thawte.com:443): thawte Primary Root CA, and thawte SSL CA - G2. Repeating the above steps to install these certs into your /etc/ssl/certs directory (and re-running c_rehash) might work. Since these two are intermediate CAs, and not root CAs, the absence of one of them would explain your results, and might be expected as overlooked certs by update-ca-certificates.

Hope this helps!

Best Answer

Related Solutions

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

Curl SSL Certificate – How to Debug ‘Unable to Get Local Issuer Certificate’ in Curl

Related Topic