Upgrading CURL/libCURL from:
# rpm -qi curl Name : curl Version : 7.35.0 Release : 2.42.amzn1 Architecture: x86_64 Install Date: Thu 10 Apr 2014 08:20:19 PM PDT Group : Applications/Internet Size : 534216 License : MIT Signature : RSA/SHA256, Wed 26 Feb 2014 04:51:24 PM PST, Key ID bcb4a85b21c0f39f Source RPM : curl-7.35.0-2.42.amzn1.src.rpm Build Date : Wed 26 Feb 2014 04:48:55 PM PST Build Host : build-31004.build Relocations : (not relocatable) Packager : Amazon.com, Inc. <http://aws.amazon.com> Vendor : Amazon.com URL : http://curl.haxx.se/ Summary : A utility for getting files from remote servers (FTP, HTTP, and others)
To:
# rpm -qi libcurl Name : libcurl Version : 7.36.0 Release : 2.44.amzn1 Architecture: x86_64 Install Date: Tue 15 Apr 2014 11:40:58 AM PDT Group : Development/Libraries Size : 455304 License : MIT Signature : RSA/SHA256, Tue 08 Apr 2014 07:21:43 PM PDT, Key ID bcb4a85b21c0f39f Source RPM : curl-7.36.0-2.44.amzn1.src.rpm Build Date : Tue 08 Apr 2014 03:25:45 PM PDT Build Host : build-31003.build Relocations : (not relocatable) Packager : Amazon.com, Inc. <http://aws.amazon.com> Vendor : Amazon.com URL : http://curl.haxx.se/ Summary : A library for getting files from web servers
Results in the following error:
# curl -v https://s3.amazonaws.com/extimg.popsugar.com/mnt/ephemeral/var/www/files/tmp/2014/04/15/899/netimgEHu6tgWYXxQ0 * Hostname was NOT found in DNS cache * Trying 205.251.242.187... * Connected to s3.amazonaws.com (205.251.242.187) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -8127 (SEC_ERROR_NO_TOKEN) * The security card or token does not exist, needs to be initialized, or has been removed. * Closing connection 0 curl: (35) The security card or token does not exist, needs to be initialized, or has been removed.
However, using SSLv3 works:
# curl -3 -v https://s3.amazonaws.com/extimg.popsugar.com/mnt/ephemeral/var/www/files/tmp/2014/04/15/899/netimgEHu6tgWYXxQ0 * Hostname was NOT found in DNS cache * Trying 54.231.1.40... * Connected to s3.amazonaws.com (54.231.1.40) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=s3.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US * start date: Apr 12 00:00:00 2014 GMT * expire date: Apr 13 23:59:59 2015 GMT * common name: s3.amazonaws.com * issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
Downgrading to curl 7.35.0 allows this to function again.
Same for me. Curl 7/36 + libnss could have a trouble?
For me, curl/7.36.0 on AMI Linux gives me the error while connecting to s3-ap-northeast-1.amazonaws.com.
[ec2-user@ip-172-31-20-184 ~]$ curl -v --url https://s3-ap-northeast-1.amazonaws.com/
Hostname was NOT found in DNS cache
Trying 103.246.150.250...
Connected to s3-ap-northeast-1.amazonaws.com (103.246.150.250) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none NSS error -8127 (SEC_ERROR_NO_TOKEN)
The security card or token does not exist, needs to be initialized, or has been removed.
Closing connection 0
curl: (35) The security card or token does not exist, needs to be initialized, or has been removed.
But the edge server at 103.246.150.192 works fine.
[ec2-user@ip-172-31-20-184 ~]$ curl -v --url https://s3-ap-northeast-1.amazonaws.com/
Hostname was NOT found in DNS cache
Trying 103.246.150.192...
Connected to s3-ap-northeast-1.amazonaws.com (103.246.150.192) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none SSL connection using SSL_RSA_WITH_RC4_128_MD5
Server certificate:
subject: CN=.s3-ap-northeast-1.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
start date: 11月 07 00:00:00 2013 GMT
expire date: 10月 25 23:59:59 2014 GMT
common name: .s3-ap-northeast-1.amazonaws.com
issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
curl 7.24 works fine against the both server.
The difference between the server is the 2nd intermediate CA cert.
103.246.150.192
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
SerialNumber: 35:97:31:87:f3:87:3a:07:32:7e:ce:58:0c:9b:7e:da
103.246.150.242
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
SerialNumber: 25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
The key is the same.
Some path building problem?
I took it to the mailing list: http://curl.haxx.se/mail/lib-2014-04/0147.html
Daniel,
I filed a ticket and AWS support reported us that they provide new curl package. The both curl binaries say it's 7.36.0 but the new one seems to be built with NSS 3.16 instead of 3.15.3.
NG: curl 7.36.0 (x86_64-redhat-linux-gnu) libcurl/7.36.0 NSS/3.15.3 zlib/1.2.5 libidn/1.18 libssh2/1.4.2
OK: curl 7.36.0 (x86_64-redhat-linux-gnu) libcurl/7.36.0 NSS/3.16 Basic ECC zlib/1.2.5 libidn/1.18 libssh2/1.4.2
Try to upgrade the curl package. So far it works fine for me.
Thanks NaHi for confirming this. We thus believe this is fixed with such a move. Dan Rogers, can you confirm this?
No response. Possibly and hopefully fixed.