When attempting to connect to Twitter's API using cURL on CentOS 6.5, you might encounter this frustrating error:
NSS error -5990
SSL connect error
curl: (35) SSL connect error
The interesting part is that other HTTPS sites like encrypted.google.com work fine, which tells us this is not a general SSL connectivity issue.
CentOS 6.5 ships with older versions of:
- cURL (typically 7.19.7)
- NSS (Network Security Services)
- OpenSSL libraries
Twitter's API requires modern TLS protocols (TLS 1.2+) which these old packages don't support by default.
First, check your system's capabilities:
curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libzThen test SSL protocols explicitly:
curl --tlsv1.2 https://api.twitter.com
curl --tlsv1.1 https://api.twitter.com
curl --tlsv1.0 https://api.twitter.comOption 1: Force Modern TLS (Quick Fix)
Add these flags to your cURL command:
curl -v --tlsv1.2 --ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384' \
https://api.twitter.comOption 2: Update System Packages
For CentOS 6.5, you'll need to enable EPEL and update:
sudo yum install epel-release
sudo yum update curl nss opensslOption 3: Compile Modern cURL
If updates aren't available:
wget https://curl.haxx.se/download/curl-7.68.0.tar.gz
tar -xzf curl-7.68.0.tar.gz
cd curl-7.68.0
./configure --with-ssl
make
sudo make installHere's a reliable PHP implementation that handles this scenario:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.twitter.com/1.1/statuses/user_timeline.json");
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
if(curl_errno($ch)) {
echo 'Error:' . curl_error($ch);
}
curl_close($ch);If you can't modify the server configuration:
- Use a proxy server with modern TLS support
- Route requests through a middleware service
- Consider containerization (Docker) with updated libraries
When attempting to make HTTPS requests to api.twitter.com from a CentOS 6.5 server, you might encounter the SSL connect error with cURL:
[root@webscoming httpdocs]# curl -v https://api.twitter.com
About to connect() to api.twitter.com port 443 (#0)
Trying 199.16.156.199... connected
Connected to api.twitter.com (199.16.156.199) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
NSS error -5990
Closing connection #0
SSL connect error
curl: (35) SSL connect error
The error occurs because Twitter's API requires modern TLS protocols (TLS 1.2+) which may not be supported by default on older systems like CentOS 6.5. The key indicators are:
- Works with https://encrypted.google.com but fails with Twitter API
- NSS error -5990 (SSL_ERROR_NO_CYPHER_OVERLAP)
- Outdated system SSL/TLS libraries
Check your system's SSL capabilities with:
curl --tlsv1.2 -Iv https://api.twitter.com
openssl ciphers -v | grep TLSv1.2
Option 1: Force TLS 1.2 in cURL
curl --tlsv1.2 https://api.twitter.com
Option 2: Update NSS and cURL packages
yum update nss curl libcurl
Option 3: Recompile cURL with modern OpenSSL
wget https://curl.haxx.se/download/curl-7.68.0.tar.gz
tar -xzf curl-7.68.0.tar.gz
cd curl-7.68.0
./configure --with-ssl
make
make install
Here's a complete PHP example with proper SSL configuration:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.twitter.com/1.1/statuses/user_timeline.json");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
$response = curl_exec($ch);
if(curl_errno($ch)) {
echo 'cURL Error: ' . curl_error($ch);
}
curl_close($ch);
?>
If you cannot update system packages, consider:
- Using a proxy server with modern TLS support
- Setting up a middleware service on a newer server
- Using dedicated API gateway solutions