curl: (35) SSL connect error, NSS error -5938

Question

Hi I am sending an get request using curl but getting error: curl: NSS error -5938, (35) SSL connect error Server detail : Centos, version 6.7

curl 'https://govapps.gov.ca.gov/gov39mail/index.php' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,es;q=0.7' -H 'Cookie: GovMail_Session=au0fcpe9hudqgr2773jrpn7jqi; __utmc=158387685; __utmz=158387685.1535521230.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158387685.1009969492.1535521230.1536342020.1536345121.9; __utmt_b=1; __utmb=158387685.1.10.1536345121' --compressed -v

• About to connect() to govapps.gov.ca.gov port 443 (#0)
• Trying 134.186.207.137... connected
• Connected to govapps.gov.ca.gov (134.186.207.137) port 443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
• NSS error -5938
• Closing connection #0
• SSL connect error curl: (35) SSL connect error

can anyone help me why I am getting this.

Answer 1

It is a mismatch between your curl / openssl version (and libraries between) that do not accept 2018 best cipher, and this particular server that only support those cipher.

Other domain may or may not support more cipher and so curl may (or not) be able to query them.

Only way to fix that: update (or possibly upgrade up to 6.10).

In the future, this can happen again if security increase again.