openssl problem after 11 -> 12
Mathieu Arnold
mat at freebsd.org
Tue Apr 14 15:07:32 UTC 2020
On Tue, Apr 14, 2020 at 11:58:05AM +0200, Per olof Ljungmark wrote:
> Hello,
>
> After upgrading our Nagios host, I can no longer get status from our older
> HP servers with iLO3.
>
> Using a perl script, check_ilo2_health.pl, this stopped working due to lack
> of support of older ciphers in base openssl.
>
> So far, I installed openssl from ports and enabled the weak ciphers,
> adjusted /etc/make.conf for DEFAULT_VERSIONS+= ssl=openssl, have rebuilt
> perl and perl modules, curl and a few more.
>
> Still, I get
>
> curl -v --insecure --tlsv1.1 -v https://<iLO3 IP>
> * Trying <iLO3 IP>:443...
> * Connected to <iLO3 IP> port 443 (#0)
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /usr/local/share/certs/ca-root-nss.crt
> CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS alert, handshake failure (552):
> * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
> * Closing connection 0
> curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure
>
> I am at loss right now on how I could teach the FBSD-12 system to use the
> older ciphers, it still works fine from 11.
Ok, so, let me tell you how I handled something similar a couple of
months back with some ruby scripts that needed to talk to an old
appliance with an old ssl but where ssl was mandatory.
I installed openssl-unsafe (which is a 1.0.2-something with everything
enabled) and I locally rebuilt every bits that needed that old SSL.
This included installing RVM to build a local ruby, and use that ruby to
build the bits those scripts needed...
Now it works, and that machine has a "do not touch" sign. ^^
--
Mathieu Arnold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20200414/5864c3d3/attachment.sig>
More information about the freebsd-ports
mailing list