Date: Tue, 14 Apr 2020 17:08:19 +0200 From: Mathieu Arnold <mat@freebsd.org> To: Per olof Ljungmark <peo@nethead.se> Cc: ports@freebsd.org Subject: Re: openssl problem after 11 -> 12 Message-ID: <20200414150819.zpo7znhwipg65fsm@aching.in.mat.cc> In-Reply-To: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se> References: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se>
next in thread | previous in thread | raw e-mail | index | archive | help
--vhucbonqbc3fv5o7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 14, 2020 at 11:58:05AM +0200, Per olof Ljungmark wrote: > Hello, >=20 > After upgrading our Nagios host, I can no longer get status from our older > HP servers with iLO3. >=20 > Using a perl script, check_ilo2_health.pl, this stopped working due to la= ck > of support of older ciphers in base openssl. >=20 > So far, I installed openssl from ports and enabled the weak ciphers, > adjusted /etc/make.conf for DEFAULT_VERSIONS+=3D ssl=3Dopenssl, have rebu= ilt > perl and perl modules, curl and a few more. >=20 > Still, I get >=20 > curl -v --insecure --tlsv1.1 -v https://<iLO3 IP> > * Trying <iLO3 IP>:443... > * Connected to <iLO3 IP> port 443 (#0) > * ALPN, offering http/1.1 > * successfully set certificate verify locations: > * CAfile: /usr/local/share/certs/ca-root-nss.crt > CApath: none > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * TLSv1.3 (IN), TLS alert, handshake failure (552): > * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failu= re > * Closing connection 0 > curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handsh= ake > failure >=20 > I am at loss right now on how I could teach the FBSD-12 system to use the > older ciphers, it still works fine from 11. Ok, so, let me tell you how I handled something similar a couple of months back with some ruby scripts that needed to talk to an old appliance with an old ssl but where ssl was mandatory. I installed openssl-unsafe (which is a 1.0.2-something with everything enabled) and I locally rebuilt every bits that needed that old SSL. This included installing RVM to build a local ruby, and use that ruby to build the bits those scripts needed... Now it works, and that machine has a "do not touch" sign. ^^ --=20 Mathieu Arnold --vhucbonqbc3fv5o7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEVhwchfRfuV0unqO5KesJApEdfgIFAl6V0d5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDU2 MUMxQzg1RjQ1RkI5NUQyRTlFQTNCOTI5RUIwOTAyOTExRDdFMDIACgkQKesJApEd fgJukQ/8C+sERaAWibBKI1ENQQLmG/QkMZV2mLymlIfHKFmNMzmriNmjG7JgXiz4 2J6bolBsX2qJLGZI1fHonuo8JDleNEkwaP2WzLVg/lUAp39iJQzeGz20HFl7gDN5 wC+7Xjo5hRQefwfCA+9rAXGRdXFwVOMP8cce1QuxCZfISe7mgge73uS0OlnMQmai cITBwFiip3KHnDCdmFN4A3jBaptdqCd1874yDGJHEtHSr0LMfuwy50s6eL4n1EeZ Swfsa9xonmWo/ZvfvS7t3x7DbRe/M9W7LTiZ3f9PXFXIV+at9lw/RZ5dybZJORXT l+/ITr8XLUW6AXrPffM0O1SKsOT7VmiqO21fMut9cG01b7BHXlJDW+01Gdjkhcwa pwlWulMIlwZGshMlzl/tLB5IfY70jEmNQqIK6eWAlgBUuVEKJNzkXnCYTONC11dD OCoRs/4V70O8g7HW3dgTIaGvVSPe7kYPJInHArnVRfpGcNk6KBDhJlY5UiEvsX7y Xjzq9PFSUAT8Jeg9ZJ3mbC0E7PHXNhXu4cHqBGobpw9BCv6qzufYs3+Ldq0xAigL rAy5rAJI6/8SKDyExfA1HC+kBxx3CITK2xHqAwR1pyFRpEeu8XEosT70/rh5NI7U 7y+7P3rZ8onQPahLrvvi7uZYeheJdYgZYkDGms0SACXOrkizqU4= =FqTv -----END PGP SIGNATURE----- --vhucbonqbc3fv5o7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200414150819.zpo7znhwipg65fsm>