如何修复 curl:(35) 无法与对等方安全通信:没有通用的加密算法 [英] How to fix curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s)

问题描述

我正在尝试使用 php curl 从 https://torrage.com 访问和下载一些 .torrent 文件.但是什么也没发生，curl_error($ch) 给出

I am trying to access and download some .torrent files from https://torrage.com using php curl. But nothing happens , curl_error($ch) gives

$ch = curl_init ('https://torrage.com/torrent/640FE84C613C17F663551D218689A64E8AEBEABE.torrent');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_VERBOSE,true);
$data = curl_exec($ch);
$error = curl_error($ch);
curl_close ($ch);
echo $error;

这给了.

Cannot communicate securely with peer: no common encryption algorithm(s).

如果我像这样从 shell 中尝试

If I try from shell like this

[root@prod1 yum.repos.d]# curl -I https://torrage.com
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

处于详细模式

[root@prod1 yum.repos.d]# curl -v https://torrage.com
* Rebuilt URL to: https://torrage.com/
*   Trying 81.17.30.48...
* Connected to torrage.com (81.17.30.48) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

系统信息centos 7.x86_64

[root@prod1 yum.repos.d]# uname -a
Linux prod1.localdomain 3.10.0-229.4.2.el7.x86_64 #1 SMP Wed May 13 10:06:09 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

卷曲版本

[root@prod1 yum.repos.d]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu)

openssl ，已经打过补丁.

[root@prod1 yum.repos.d]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jun 15 18:39:20 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic

验证 openssl 是否打补丁.

[root@prod1 yum.repos.d]# rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

<小时>

我尝试过的:

1) 我曾尝试使用 HTTP insted of HTTPS，但该站点强制使用 HTTPS.例如

[root@prod1 yum.repos.d]# curl -I http://torrage.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 04:13:17 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://torrage.com/

2) 更新 ca-bundle.crt

cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/
curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

3) 将 Curl 更新到最新版本 7.43.0

nano /etc/yum.repos.d/city-fan-for-curl.repo

使用此存储库.

[CityFanforCurl]
name=City Fan Repo
baseurl=http://www.city-fan.org/ftp/contrib/yum-repo/rhel7/x86_64/
enabled=0
gpgcheck=0

然后做

yum update curl --enablerepo=CityFanforCurl

然后验证 curl 版本

then verifying curl version

[root@prod1 yum.repos.d]# curl -V
curl 7.43.0 (x86_64-redhat-linux-gnu) libcurl/7.43.0 NSS/3.18 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.6.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets Metalink

4) 我试过这个来检查我的 curl 是否过时.

参考:https://unix.stackexchange.com/questions/162816/disable-sslv3-in-curl

[root@prod1 yum.repos.d]# curl -1IsS --ciphers ecdhe_ecdsa_aes_128_sha https://sslspdy.com
HTTP/1.1 200 OK
Server: nginx centminmod
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubdomains
Date: Mon, 12 Jan 1970 23:00:11 GMT
X-Page-Speed: ngx_pagespeed
Cache-Control: max-age=0, no-cache

<小时>

我该如何解决这个问题?并使用 PHP Curl 从 Torrage.com 下载文件?

---

How can i fix the issue ? and download files from Torrage.com using PHP Curl ?

*我不能使用 file_get_contents，因为我正在使用 curl_multi 进行同步下载.

*I cant use file_get_contents as i am using curl_multi for simultaneous downloads.

更新 1:

正如 steffen-ullrich 所建议的

[root@prod1 randoadmin]# curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 -I https://torrage.com
HTTP/1.1 200 OK
Server: nginx/1.9.0
Date: Mon, 29 Jun 2015 05:54:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 29 Jun 2015 05:50:40 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding, Accept-Encoding
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

但那是 shell 我如何用 PHP-curl 实现它?

but thats with shell how can i implement it with PHP-curl ?

更新 2:

我已经修改了代码并定义了密码，以便在像这样使用 curl 时使用.

i have modified code and defined cipher to use while using curl like this.

$ch = curl_init ('https://torrage.com/torrent/640FE84C613C17F663551D218689A64E8AEBEABE.torrent');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_rsa_aes_128_gcm_sha_256');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_VERBOSE,true);
$data = curl_exec($ch);
$error = curl_error($ch);
curl_close ($ch);
echo $error;
echo $data ;

它工作得很好.非常感谢 steffen-ullrich 解决了问题.

Its working great. Issue solved many thanks to steffen-ullrich .

推荐答案

服务器仅支持 ECC 密码 (ECDHE-*).curl 的版本是使用 Redhat/CentOS 上的 NSS 库构建的.有一个错误报告指出 Redhat/CentOS 会覆盖 curl 设置并且默认禁用 ECC 密码.因为客户端没有提供 ECC 密码，而服务器只支持 ECC 密码，所以连接将失败.

The server supports only ECC ciphers (ECDHE-*). The version of curl is built with the NSS library on Redhat/CentOS. There is a bug report that Redhat/CentOS overrides the curl settings and disables ECC ciphers by default. Because there are thus no ECC ciphers offered by the client but only ECC ciphers are supported by the server the connection will fail.

您可以尝试明确给出密码，即

You might try to explicitly give the cipher, i.e.

curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 ...

请注意，升级 OpenSSL 无济于事，因为 curl 不是使用 OpenSSL 后端构建的.此外，禁用证书验证(无论如何都是坏主意)或更改根 CA 也无济于事，因为问题根本与证书验证无关.

Note that upgrading OpenSSL would not help because curl is not built with the OpenSSL backend. Also it does not help to disable certificate validation (bad idea anyway) or to change the root CA's since the problem is not related to certificate validation at all.

尝试使用 --ciphers ecdhe_ecdsa_aes_128_sha 明确给出密码，因为解决问题的密码朝着正确的方向发展，但在这种情况下无济于事，因为这不是支持的密码之一由服务器.服务器仅支持各种 ECDHE-RSA-* 密码，但不支持 ECDHE-ECDSA-* 密码.有关详细信息，请参阅 SSLLabs.

Trying to explicitly give the cipher with --ciphers ecdhe_ecdsa_aes_128_sha as the cipher to solve the problem goes into the right direction but will not help in this case, because this is not one of the ciphers supported by the servers. The server supports only various ECDHE-RSA-* ciphers but not ECDHE-ECDSA-* ciphers. See SSLLabs for details.

这篇关于如何修复 curl:(35) 无法与对等方安全通信:没有通用的加密算法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！