32 
[root@vagrant-centos65 you-get]# curl -v https://api.xxx.cn
* About to connect() to api.xxx.cn port 443 (#0)
*   Trying 123.xxx.xx.xx... connected
* Connected to api.xxx.cn (123.xxx.xx.xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

[root@vagrant-centos65 you-get]# curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
Improve this question

3 Answers 3

Reset to default
47

If updating cURL doesn't fix it, updating NSS should do the trick.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Actually, only upgrading NSS has fixed error on my Centos6, Thanks.
If you're using cURL with PHP, updating cURL can be a bit of a pain. Fortunately, updating nss worked. Remember to restart Apache.
finally, fixed my issue. Been trying to install Drupal 8 modules using the url field and kept getting this error. Updating NSS fixed the issue for me. Thanks!
But when update NSS with yum, it's also fail because it can't make SSL connection to Repo :(
38

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

You are using a very old version of curl. My guess is that you run into the bug described 6 years ago. Fix is to update your curl.

Improve this answer

1 Comment

I may be misreading that bug report, but it seems that the issue is/was that that version of libcurl was disallowing SSLv2 and requiring SSLv3. So besides updating your version of curl, if you have control of the server you're connecting to when you get these failures, it would be good to update your software on that side as well. (Maybe you'll then use SSLv3 and the "bug" of disallowing SSLv2 won't break things anymore.) Sort of ironic.
8

If you are using curl versions curl-7.19.7-46.el6.x86_64 or older. Please provide an option as -k1 (small K1).

Improve this answer

1 Comment

Does this disable certificate checks? Not great advice, especially if you don't mention it!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.