I can't get curl to download https://www.sicdm.caixa.gov.br/cadmut/login_internet_form.do
on a CentOS 6.2 server.
The command curl -v -k -3 https://www.sicdm.caixa.gov.br/cadmut/login_internet_form.do
yields:
* About to connect() to www.sicdm.caixa.gov.br port 443 (#0)
* Trying 200.201.173.93... connected
* Connected to www.sicdm.caixa.gov.br (200.201.173.93) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* NSS error -5938
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
What I've tried so far:
1) Issue the very same curl command on servers hosted with other providers, on my linux dev machine and on my teammates machines: the page downloads just fine;
2) google for NSS error -5938
, which did not provide a single helpful tip.
3) Ditch curl and use wget: won't work, since the remote server uses Transfer-Encoding:chunked, which wget doesn't play with.
4) Upgrade/downgrade/compile lastest version of Curl, NSS and OpenSSL: the problem persists.
5) Report the problem to the server provider. First they claimed it was a issue with the remote server certificate; I'm doubtful that's the case, since I've told curl do ignore certificate validation (-k flag).
6) Extract a tcpdump of the connection, where "funny" things where found (upper capture):
There are many transmission errors, and the server response to the "Client Key Exchange" phase never reaches our server - even though the ACK packet does! - note the 30s gap between packets 46 and 47. (this happens even if the firewall is disabled)
For comparison, curling paypal (lower capture) goes just fine.
7) Recontact the server provider, showing the tcpdump findings. They commented nothing about the dump, but said that they tried the command on other servers on their network, and the command failed the same way. Despite this, they still claim the problem is the remote server crappy certificate, and the way I handle it.
So, what am I missing?
PS: here are some version numbers:
curl -v
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
uname -a
Linux [redacted hostname] 2.6.32-220.23.1.el6.x86_64 #1 SMP Mon Jun 18 18:58:52 BST 2012 x86_64 x86_64 x86_64 GNU/Linux