openssl problem after 11 -> 12
Per olof Ljungmark
peo at nethead.se
Tue Apr 14 21:39:35 UTC 2020
On 2020-04-14 19:48, Per olof Ljungmark wrote:
> On 2020-04-14 17:08, Mathieu Arnold wrote:
>> On Tue, Apr 14, 2020 at 11:58:05AM +0200, Per olof Ljungmark wrote:
>>> Hello,
>>>
>>> After upgrading our Nagios host, I can no longer get status from our
>>> older
>>> HP servers with iLO3.
>>>
>>> Using a perl script, check_ilo2_health.pl, this stopped working due
>>> to lack
>>> of support of older ciphers in base openssl.
>>>
>>> So far, I installed openssl from ports and enabled the weak ciphers,
>>> adjusted /etc/make.conf for DEFAULT_VERSIONS+= ssl=openssl, have rebuilt
>>> perl and perl modules, curl and a few more.
>>>
>>> Still, I get
>>>
>>> curl -v --insecure --tlsv1.1 -v https://<iLO3 IP>
>>> * Trying <iLO3 IP>:443...
>>> * Connected to <iLO3 IP> port 443 (#0)
>>> * ALPN, offering http/1.1
>>> * successfully set certificate verify locations:
>>> * CAfile: /usr/local/share/certs/ca-root-nss.crt
>>> CApath: none
>>> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>>> * TLSv1.3 (IN), TLS alert, handshake failure (552):
>>> * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
>>> failure
>>> * Closing connection 0
>>> curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
>>> handshake
>>> failure
>>>
>>> I am at loss right now on how I could teach the FBSD-12 system to use
>>> the
>>> older ciphers, it still works fine from 11.
>>
>> Ok, so, let me tell you how I handled something similar a couple of
>> months back with some ruby scripts that needed to talk to an old
>> appliance with an old ssl but where ssl was mandatory.
>>
>> I installed openssl-unsafe (which is a 1.0.2-something with everything
>> enabled) and I locally rebuilt every bits that needed that old SSL.
>> This included installing RVM to build a local ruby, and use that ruby to
>> build the bits those scripts needed...
>>
>> Now it works, and that machine has a "do not touch" sign. ^^
>>
>>
>
> THank you for the tip, I thought openssl from ports with the weak
> ciphers enabled would be sufficient, iLO3 is not THAT ancient I thought
> but maybe it is. I'll let the portmaster run finish and if that does not
> help I will test your suggestion.
>
Finally managed to figure it out, you need to tell the perl script
exactly what cipher to use, so I added to 'check_ilo2_health.pl':
--sslopts 'SSL_verify_mode => SSL_VERIFY_NONE, SSL_version => "TLSv1_1",
SSL_cipher_list => "EDH-RSA-DES-CBC3-SHA"'
Works with openssl from ports.
More information about the freebsd-ports
mailing list