From owner-freebsd-ports@freebsd.org  Tue Apr 14 09:58:11 2020
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id CC2DB2BB689
 for <freebsd-ports@mailman.nyi.freebsd.org>;
 Tue, 14 Apr 2020 09:58:11 +0000 (UTC) (envelope-from peo@nethead.se)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 491gsb2Kggz3xN2
 for <freebsd-ports@freebsd.org>; Tue, 14 Apr 2020 09:58:11 +0000 (UTC)
 (envelope-from peo@nethead.se)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 4DF442BB688; Tue, 14 Apr 2020 09:58:11 +0000 (UTC)
Delivered-To: ports@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4DB7C2BB687
 for <ports@mailman.nyi.freebsd.org>; Tue, 14 Apr 2020 09:58:11 +0000 (UTC)
 (envelope-from peo@nethead.se)
Received: from ns1.nethead.se (ns1.nethead.se [5.150.237.139])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "ns1.nethead.se", Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 491gsY5V7Hz3xMy
 for <ports@freebsd.org>; Tue, 14 Apr 2020 09:58:09 +0000 (UTC)
 (envelope-from peo@nethead.se)
X-Virus-Scanned: amavisd-new at Nethead AB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nethead.se;
 s=NETHEADSE; t=1586858287;
 bh=V8upP/gM8rWeSfJMp0zJN5MWQA/PkV7MYbOhJ9Qf8m4=;
 h=To:From:Subject:Date;
 b=h+i/TXet977aM0XHABM6Y4x3G4ufcLmNF7VTDM8VL9ED2Z7+rQM2AUimpGWqvWvS/
 x3sMPB6dP0tL7dbTNPgvcH7GbZlkoucq9oqA3PrxRx+VHrN0rrNFErJkru6ijWBHL4
 vK5ITR8dRUILYN9xJuCzlHIVIEar94K1h0dAp4/0=
To: ports@freebsd.org
From: Per olof Ljungmark <peo@nethead.se>
Subject: openssl problem after 11 -> 12
Message-ID: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se>
Date: Tue, 14 Apr 2020 11:58:05 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 491gsY5V7Hz3xMy
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=nethead.se header.s=NETHEADSE header.b=h+i/TXet;
 dmarc=pass (policy=none) header.from=nethead.se;
 spf=pass (mx1.freebsd.org: domain of peo@nethead.se designates 5.150.237.139
 as permitted sender) smtp.mailfrom=peo@nethead.se
X-Spamd-Result: default: False [-5.85 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[nethead.se:s=NETHEADSE];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:5.150.237.139];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[nethead.se:+];
 DMARC_POLICY_ALLOW(-0.50)[nethead.se,none];
 RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+];
 IP_SCORE(-2.85)[ip: (-9.75), ipnet: 5.150.192.0/18(-4.88), asn: 8473(0.43),
 country: SE(-0.03)]; 
 ASN(0.00)[asn:8473, ipnet:5.150.192.0/18, country:SE];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 09:58:11 -0000

Hello,

After upgrading our Nagios host, I can no longer get status from our 
older HP servers with iLO3.

Using a perl script, check_ilo2_health.pl, this stopped working due to 
lack of support of older ciphers in base openssl.

So far, I installed openssl from ports and enabled the weak ciphers, 
adjusted /etc/make.conf for DEFAULT_VERSIONS+= ssl=openssl, have rebuilt 
perl and perl modules, curl and a few more.

Still, I get

curl -v --insecure --tlsv1.1 -v https://<iLO3 IP>
*   Trying <iLO3 IP>:443...
* Connected to <iLO3 IP> port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
   CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert 
handshake failure

I am at loss right now on how I could teach the FBSD-12 system to use 
the older ciphers, it still works fine from 11.

Thanks for hints..

Per