Cloudflare TLS cipher support

[desseb]

Hello,

New user to tt-rss, I am having an issue with feeds that are hosted behind Cloudflare CDN w/ SSL.

It seems that they force very stringent ciphers which requires setting one of the few supported ciphers (on Centos 6.7) as a curl_setopt.

I've been able to add the following line to tt-rss/include/functions.php (on line 370 or so), which resolves the issue.

Code: Select all

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_ecdsa_3des_sha');

To be fair to tt-rss, this is not a bug with your code, but a lack of default ciphers in NSS. The above cipher is one of the few in the list that Cloudflare supports.

It presents as the SSL connect error 35, but other fixes in the forums don't account for this particular scenario.

Relevant info here: https://bugzilla.redhat.com/show_bug.cgi?id=527771

Here are the versions of relevant packages, if you can think of a better way to handle this issue.

Code: Select all

nss-3.19.1-8.el6_7.x86_64
openssl-1.0.1e-42.el6_7.2.x86_64
curl-7.19.7-46.el6.x86_64
libcurl-7.19.7-46.el6.x86_64

[fox]

1. provide an example of such feed, not everyone is using redhat
2. i'm not going to change default curl settings because of one cloud whatever service, it's up to your distro or curl to fix this

[desseb]

Yes, I realized that as I moved additional feeds, I ran into another problem with a feed hosted by feedly (https://xkcd.com/rss.xml) which required different tlsv2 ciphers.

Since each feed has different potential requirements I agree that it's best not to update tt-rss, since these options force curl to only use the list of ciphers.

The other feed is https://penny-arcade.com/feed.

Hopefully the fix comes soon from RH/Centos.

In case anyone else has this problem with feedly, I had to use the following cipher: rsa_aes_256_sha

Just comma separated in the above command, if you need to force more than one cipher.

[darknite323]

Unless this is a bug in NSS in RH/Centos it looks like this might just be a webserver configuration issue.

NSS shouldn't be restricted to any specific SSL cyphers by default (afaik), if none are defined then is allows all, or at least the most common SSL cyphers.

Not something i've had to look at before, but have a hunt through your server configs, there may be a cypher set configured somewhere else that curl then adheres to. You adding the cypher to the config.php then overrides it for TTRSS.

There is more info here: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html

and here: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
This one shows how to set it server side on Apache for mod_ssl, can't find documentation for mod_nss unfortunately.

I did find the config for openSUSE though:
https://build.opensuse.org/package/view_file/openSUSE:Maintenance:2403/apache2-mod_nss.openSUSE_13.1_Update/mod_nss.conf.in?rev=3
Have a look for the NSSCipherSuite setting.

[fox]

checking with myfeedsucks the penny arcade feed works properly which should be enough to determine ops question really has nothing to do with tt-rss per se, let's not turn this into a "help op fix his linux" thing