How to debug or fix cURL errno 35

Question

I am trying to make a cURL request in PHP to a URL. Whatever I try I always get a cURL errno 35 (for a specific URI). The curl documentation has the following to say:

You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.

However when trying to capture this information nothing seems to be returned.

$client = curl_init('https://dev.kelunik.com/css/all.min.css')

$log = fopen('/srv/www/Requestable/data/curl-log.txt', 'a+');

curl_setopt($client, CURLOPT_VERBOSE, 1);
curl_setopt($client, CURLOPT_STDERR, $log);
curl_setopt($client, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($client, CURLOPT_SSL_VERIFYHOST, 2)
curl_setopt($client, CURLOPT_CAINFO, __DIR__ . '/../../../../data/default.pem');
curl_setopt($client, CURLOPT_FAILONERROR, false);
curl_setopt($client, CURLOPT_RETURNTRANSFER, true);
curl_setopt($client, CURLOPT_HEADER, true);
curl_setopt($client, CURLINFO_HEADER_OUT, true);
curl_setopt($client, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($client, CURLOPT_CUSTOMREQUEST, 'GET');
curl_setopt($client, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);

if (!$response = curl_exec($client)) {
    throw new CurlException('Making request failed: ' . curl_error($client) . '(' . curl_errno($client) . ')');
}

fclose($log);

The above code always throws the CurlException with errno 35, however the defined log file stays empty.

When trying a different URI (with a certificate from the same CA) it just works ™. I also checked my root CA bundle which is fairly up2date:

Certificate data from Mozilla downloaded on: Wed Sep 3 03:12:03 2014

What else can I check to find out what in specific is causing the error?

_{Note: the URI can be requested both from a browser as well as from my local dev environment just fine}

_{Note 2: I also tried it without manually setting a custom CA root bundle which resulted in the same error.}

OpenSSL version:

Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 30.el6_6.5

cURL version:

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Answer 1

The problem is unrelated to your certificate chains, it's the server configuration at dev.kelunik.com. The server is only accepting ECDHE ciphers (ssllabs). The other server accepts a wider range of ciphers. (ssllabs). While your OpenSSL supports ECDHE, the version of cURL you're using is compiled with NSS, which doesn't.

You can compare the output with

curl https://dev.kelunik.com

and

openssl s_client -connect dev.kelunik.com:443 -servername dev.kelunik.com 

You've got two solutions here without changing your distro. If you've got access to the other server's configuration, you can change the SSL ciphers to use DHE/RSA ciphers. The exact cipher list would depend on the server configuration - ssllabs has a good blog post on the subject.

Otherwise, you'll need to recompile cURL against OpenSSL to access all available ciphers. Basic instructions are available at http://curl.haxx.se/docs/install.html.