From owner-freebsd-ports@freebsd.org Tue Apr 14 15:07:32 2020 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5E70A2C2ABE for ; Tue, 14 Apr 2020 15:07:32 +0000 (UTC) (envelope-from mat@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 491pkX1tpvz4KNt for ; Tue, 14 Apr 2020 15:07:32 +0000 (UTC) (envelope-from mat@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 40C6E2C2ABD; Tue, 14 Apr 2020 15:07:32 +0000 (UTC) Delivered-To: ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 408DB2C2ABC for ; Tue, 14 Apr 2020 15:07:32 +0000 (UTC) (envelope-from mat@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 491pkX0Mf3z4KNs; Tue, 14 Apr 2020 15:07:32 +0000 (UTC) (envelope-from mat@freebsd.org) Received: from mail.j.mat.cc (owncloud.cube.mat.cc [IPv6:2a01:678:4:1::228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.mat.cc", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: mat/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id DF304A557; Tue, 14 Apr 2020 15:07:31 +0000 (UTC) (envelope-from mat@freebsd.org) Received: from aching.in.mat.cc (aching.in.mat.cc [IPv6:2a01:678:42:0:5e80:b6ff:fe2c:99e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mat@mat.cc) by mail.j.mat.cc (Postfix) with ESMTPSA id C11A1942D81; Tue, 14 Apr 2020 15:07:29 +0000 (UTC) Date: Tue, 14 Apr 2020 17:08:19 +0200 From: Mathieu Arnold To: Per olof Ljungmark Cc: ports@freebsd.org Subject: Re: openssl problem after 11 -> 12 Message-ID: <20200414150819.zpo7znhwipg65fsm@aching.in.mat.cc> References: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="vhucbonqbc3fv5o7" Content-Disposition: inline In-Reply-To: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se> X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2020 15:07:32 -0000 --vhucbonqbc3fv5o7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 14, 2020 at 11:58:05AM +0200, Per olof Ljungmark wrote: > Hello, >=20 > After upgrading our Nagios host, I can no longer get status from our older > HP servers with iLO3. >=20 > Using a perl script, check_ilo2_health.pl, this stopped working due to la= ck > of support of older ciphers in base openssl. >=20 > So far, I installed openssl from ports and enabled the weak ciphers, > adjusted /etc/make.conf for DEFAULT_VERSIONS+=3D ssl=3Dopenssl, have rebu= ilt > perl and perl modules, curl and a few more. >=20 > Still, I get >=20 > curl -v --insecure --tlsv1.1 -v https:// > * Trying :443... > * Connected to port 443 (#0) > * ALPN, offering http/1.1 > * successfully set certificate verify locations: > * CAfile: /usr/local/share/certs/ca-root-nss.crt > CApath: none > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * TLSv1.3 (IN), TLS alert, handshake failure (552): > * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failu= re > * Closing connection 0 > curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handsh= ake > failure >=20 > I am at loss right now on how I could teach the FBSD-12 system to use the > older ciphers, it still works fine from 11. Ok, so, let me tell you how I handled something similar a couple of months back with some ruby scripts that needed to talk to an old appliance with an old ssl but where ssl was mandatory. I installed openssl-unsafe (which is a 1.0.2-something with everything enabled) and I locally rebuilt every bits that needed that old SSL. This included installing RVM to build a local ruby, and use that ruby to build the bits those scripts needed... Now it works, and that machine has a "do not touch" sign. ^^ --=20 Mathieu Arnold --vhucbonqbc3fv5o7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEVhwchfRfuV0unqO5KesJApEdfgIFAl6V0d5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDU2 MUMxQzg1RjQ1RkI5NUQyRTlFQTNCOTI5RUIwOTAyOTExRDdFMDIACgkQKesJApEd fgJukQ/8C+sERaAWibBKI1ENQQLmG/QkMZV2mLymlIfHKFmNMzmriNmjG7JgXiz4 2J6bolBsX2qJLGZI1fHonuo8JDleNEkwaP2WzLVg/lUAp39iJQzeGz20HFl7gDN5 wC+7Xjo5hRQefwfCA+9rAXGRdXFwVOMP8cce1QuxCZfISe7mgge73uS0OlnMQmai cITBwFiip3KHnDCdmFN4A3jBaptdqCd1874yDGJHEtHSr0LMfuwy50s6eL4n1EeZ Swfsa9xonmWo/ZvfvS7t3x7DbRe/M9W7LTiZ3f9PXFXIV+at9lw/RZ5dybZJORXT l+/ITr8XLUW6AXrPffM0O1SKsOT7VmiqO21fMut9cG01b7BHXlJDW+01Gdjkhcwa pwlWulMIlwZGshMlzl/tLB5IfY70jEmNQqIK6eWAlgBUuVEKJNzkXnCYTONC11dD OCoRs/4V70O8g7HW3dgTIaGvVSPe7kYPJInHArnVRfpGcNk6KBDhJlY5UiEvsX7y Xjzq9PFSUAT8Jeg9ZJ3mbC0E7PHXNhXu4cHqBGobpw9BCv6qzufYs3+Ldq0xAigL rAy5rAJI6/8SKDyExfA1HC+kBxx3CITK2xHqAwR1pyFRpEeu8XEosT70/rh5NI7U 7y+7P3rZ8onQPahLrvvi7uZYeheJdYgZYkDGms0SACXOrkizqU4= =FqTv -----END PGP SIGNATURE----- --vhucbonqbc3fv5o7--