Page MenuHomePhabricator
Create Task
Maniphest T10199

NSS on Red Hat derivative OSes does not support ECC cipher-suites and can not connect to CloudFlare HTTPS
Closed, WontfixPublic
Actions

Description

I'm using phabricator behind cloudflare with https enabled.
When using conduit with php I'm not able to establish a connection due to an ssl issue:

PHP Fatal error:  Uncaught exception 'HTTPFutureCURLResponseStatus' with message '[cURL/35] (https://bugs.dev-core.org/api/phriction.info) <CURLE_SSL_CONNECT_ERROR> There was an error negotiating the SSL connection.

Using cURL directly:

 curl -v https://bugs.dev-core.org
...
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

The problem can be resolved when defining the cipher used by cloudflare ssl:

 curl --ciphers ecdhe_ecdsa_aes_256_sha https://bugs.dev-core.org
[Output of the site]

My suggestion would be to add an additional constant which allows a custom cipher to be used.
I already added it in my installation to the HTTPSFutureclass but didn't had time yet to submit a patch.

For the tests I used cURL 7.19.7:

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Revisions and Commits

rPHU libphutil
Needs RevisionD15086 Closes T10199

Related Objects

Event Timeline

davidgiga1993 created this task.Jan 22 2016, 6:25 AM
davidgiga1993 added a revision: D15086: Closes T10199.Jan 22 2016, 11:41 AM
epriestley added a subscriber: epriestley.Jan 23 2016, 8:31 PM

What system are you on that doesn't support this cipher?

Mac OS X and Ubuntu 14 with default libraries both support it, and can connect to this server without errors.

davidgiga1993 added a comment.Jan 24 2016, 12:02 PM

I'm using CentOS 6.7. I could reproduce the problem on 3 centos servers.
Debian seems to work fine.

epriestley added a comment.Jan 24 2016, 12:36 PM

This looks like a known issue with implementors using NSS instead of OpenSSL. Here's the Red Hat bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1185708

Here's the (related, resolved) Firefox bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=1205688

Generally, I agree with the rationale in the Firefox thread: individual clients should, generally, not be managing cipher-suite selection because everything else on the system is also affected, and it's better to manage the selection in one place (e.g., NSS).

It looks like this issue is already on its way to resolution in the Red Hat upstream, so I'm inclined to wait for it unless we see substantially more users affected. Almost anything which uses cURL or links against NSS on your system is presumably affected.

See also T8227.

epriestley renamed this task from cURL: User defined ciphers to NSS on Red Hat derivative OSes does not support ECC cipher-suites and can not connect to CloudFlare HTTPS.Jan 24 2016, 12:37 PM
epriestley triaged this task as Low priority.
epriestley edited projects, added Infrastructure; removed libphutil, Feature Request.
epriestley closed this task as Wontfix.Mar 26 2016, 7:44 PM
epriestley claimed this task.

We haven't seen further reports of this in more than two months, so I don't plan to mitigate it at the application level.

The RedHat bug was marked resolved around Feb 20th.

If you're encountering this issue, pursue resolution with your distribution upstream.

Phabricator · Built by Phacility