1

We recently upgraded NSS from version 3.44 (nss-3.44.0-4.el7.x86_64) to version 3.53 (nss-3.53.1-3.el7_9.x86_64). After this upgrade, any calls out to our internal website that uses a self-signed certificate fail. We see the following error when curling it or trying to access with any applications like GIT -

#When Curling
curl https://internalsite.com -k
curl: (35) security library: invalid arguments.

#When using GIt
git clone https://internalsite.com/stash/scm/repo/my_repo.git
Cloning into 'my_repo'...

fatal: unable to access 'https://internalsite.com/stash/scm/repo/my_repo.git/': security library: invalid arguments.

When downgrading back to NSS 3.44, the problem is resolved. If we hit a site not using a self-signed cert, it works as expected.

Does anyone have any ideas how to resolve? Everything I read said the changes were backwards compatible, so I dont see why we need to import the cert into NSSDB again. Even after importing, I see the same error.

When troubleshooting, I converted the cert / key to PK12 (openssl pkcs12 -export -out certandkey.pfx -inkey /home/me/stuff/cert.key -in cert.pem), then then imported that using pk12util -i certandkey.pfx -d sql:/etc/pki/nssdb. After doing this, I still see the same issue.

Thanks.

user1210304
  • 111
  • 5

1 Answers1

0

I opened a ticket with Redhat about this issue. We use FIPS on our systems which was killing the connections.

They replied with the following article giving more information -

 "Why does curl return error (35) security library: invalid arguments?"
        https://access.redhat.com/solutions/5773011

The short version is that the Cipher suite that the website you are connecting to is trying to use an algorithm that does not comply with NIST requirements.

Once a server tries to connect to you with an algorithm that does not comply, FIPS will immediately close the connection.

In order to resolve this, you should try to run ssllabs on the website you are accessing - https://www.ssllabs.com/, and look at the "Cipher Suites" and the "Preferred Cipher Order", and ensure that the suites comply with NIST guidelines (they need to use at least a 256 length prime).

user1210304
  • 111
  • 5