CloudFlare, SSL, cURL and fixing the "no common encryption algorithm" error

Description

CloudFlare is using Elliptic Curve Cryptography (ECC) cryptography, rather than more traditional RSA algorithm. ECC cryptography produces shorter keys which are as strong as their equivalent RSA keys. Some of the advantages derived from having shorter keys include: lower CPU usage and lower memory usage.
The customers' websites behind CloudFlare, with SSL enabled, also use ECC certificates.

Problem

Now the real problem is with cURL and NSS, (especially older versions) which are not handling ECC certificates very well.

[w@disruptive]$ curl --verbose https://helostore.com
* Rebuilt URL to: https://helostore.com/
* Trying 104.28.18.28...
* Connected to helostore.com (104.28.18.28) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

Solution

A. If you already have a recent version of curl (>= 7.36), you're good to go: you only need to specify the right cipher for CloudFlare's front ECC SSL certificate: ecdhe_ecdsa_aes_128_gcm_sha_256.
Otherwise, skip to point B. to update curl.

If you're using curl in PHP, you can do that like so

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_ecdsa_aes_128_gcm_sha_256');

If you're running directly the cli version, you just need to specify the cipher as an argument:

[w@disruptive adls]$ curl --verbose https://helostore.com --cipher ecdhe_ecdsa_aes_128_gcm_sha_256

* Rebuilt URL to: https://helostore.com/
* Trying 104.28.18.28...
* Connected to helostore.com (104.28.18.28) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CApath: none
* ALPN, server accepted to use http/1.1
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=sni22058.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
* start date: Oct 08 00:00:00 2015 GMT
* expire date: Dec 30 23:59:59 2015 GMT
* common name: sni22058.cloudflaressl.com
* issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> Host: helostore.com
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: cloudflare-nginx
...

If HTTP response was 200 (HTTP/1.1 200 OK), your problem is solved. Otherwise, try point B. and/or C.

B. Old versions of curl contain some bug(s) [1][2] that will interfere with ECC certificates, so let's update curl to a newer version (>= 7.36):

rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-1-13.rhel6.noarch.rpm
yum update -y curl php-curl

You can now chec curl's version with

[w@disruptive adls]$ curl --versi

curl 7.45.0 (x86_64-redhat-linux-gnu) libcurl/7.45.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.32 libssh2/1.6.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets Metalink

C. If point A. didn't do the trick, you may need to update the NSS library, which requires the NSPR API (whatever that is).
So, first install NSPR following these instructions: http://www.linuxfromscratch.org/blfs/view/svn/gene...
After that, go ahead and install NSS: http://www.linuxfromscratch.org/blfs/view/svn/post...

Hopefully that went just swell and you can return to point A. and try that again.

Related bugs:

[1] https://bugzilla.redhat.com/show_bug.cgi?id=105877...
[2] https://bugzilla.redhat.com/show_bug.cgi?id=118570...

Related resources:

* if you're dealing with other ciphers, check the these cipher-suites lists for the right algorithm string:
(NSS) https://git.fedorahosted.org/cgit/mod_nss.git/plai...
(OpenSSL) https://www.openssl.org/docs/manmaster/apps/cipher...
* if you're interested in CloudFlare's study ECC vs. RSA:
https://blog.cloudflare.com/ecdsa-the-digital-sign...