From owner-freebsd-ports@freebsd.org  Tue Apr 14 17:48:41 2020
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 62E782C5D26
 for <freebsd-ports@mailman.nyi.freebsd.org>;
 Tue, 14 Apr 2020 17:48:41 +0000 (UTC) (envelope-from peo@nethead.se)
Received: from ns1.nethead.se (ns1.nethead.se [5.150.237.139])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "ns1.nethead.se", Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 491tJS3359z4WDJ
 for <freebsd-ports@freebsd.org>; Tue, 14 Apr 2020 17:48:40 +0000 (UTC)
 (envelope-from peo@nethead.se)
X-Virus-Scanned: amavisd-new at Nethead AB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nethead.se;
 s=NETHEADSE; t=1586886512;
 bh=5++BGf1FrP6gNxHxr5ef9TZyTRPzWv+tJ5jG65FKmok=;
 h=Subject:To:References:From:Date:In-Reply-To;
 b=fe6sAyDFFgWoxp449wlFV+YAy4HFwbE/+vVkbmh2MbxclU3zY8FGUx27OgRzWwH4f
 /F33nL31mApPMPH2oj0DtY/8gT3h+Y/RBkJT4gq8sY5Xq2ksth88xMBEM+3UBnZDCU
 W3zOWLO+XjXKPIMCxeZPjE+yqcGSwDLYdC1va+rg=
Subject: Re: openssl problem after 11 -> 12
To: freebsd-ports@freebsd.org
References: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se>
 <20200414150819.zpo7znhwipg65fsm@aching.in.mat.cc>
From: Per olof Ljungmark <peo@nethead.se>
Message-ID: <1232ac82-24c4-66e7-cdf6-db72fb769ed9@nethead.se>
Date: Tue, 14 Apr 2020 19:48:30 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <20200414150819.zpo7znhwipg65fsm@aching.in.mat.cc>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 491tJS3359z4WDJ
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=nethead.se header.s=NETHEADSE header.b=fe6sAyDF;
 dmarc=pass (policy=none) header.from=nethead.se;
 spf=pass (mx1.freebsd.org: domain of peo@nethead.se designates 5.150.237.139
 as permitted sender) smtp.mailfrom=peo@nethead.se
X-Spamd-Result: default: False [-5.87 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[nethead.se:s=NETHEADSE];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:5.150.237.139];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[nethead.se:+];
 DMARC_POLICY_ALLOW(-0.50)[nethead.se,none];
 RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+];
 IP_SCORE(-2.87)[ip: (-9.78), ipnet: 5.150.192.0/18(-4.89), asn: 8473(0.35),
 country: SE(-0.03)]; 
 ASN(0.00)[asn:8473, ipnet:5.150.192.0/18, country:SE];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 17:48:41 -0000

On 2020-04-14 17:08, Mathieu Arnold wrote:
> On Tue, Apr 14, 2020 at 11:58:05AM +0200, Per olof Ljungmark wrote:
>> Hello,
>>
>> After upgrading our Nagios host, I can no longer get status from our older
>> HP servers with iLO3.
>>
>> Using a perl script, check_ilo2_health.pl, this stopped working due to lack
>> of support of older ciphers in base openssl.
>>
>> So far, I installed openssl from ports and enabled the weak ciphers,
>> adjusted /etc/make.conf for DEFAULT_VERSIONS+= ssl=openssl, have rebuilt
>> perl and perl modules, curl and a few more.
>>
>> Still, I get
>>
>> curl -v --insecure --tlsv1.1 -v https://<iLO3 IP>
>> *   Trying <iLO3 IP>:443...
>> * Connected to <iLO3 IP> port 443 (#0)
>> * ALPN, offering http/1.1
>> * successfully set certificate verify locations:
>> *   CAfile: /usr/local/share/certs/ca-root-nss.crt
>>    CApath: none
>> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.3 (IN), TLS alert, handshake failure (552):
>> * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
>> * Closing connection 0
>> curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
>> failure
>>
>> I am at loss right now on how I could teach the FBSD-12 system to use the
>> older ciphers, it still works fine from 11.
> 
> Ok, so, let me tell you how I handled something similar a couple of
> months back with some ruby scripts that needed to talk to an old
> appliance with an old ssl but where ssl was mandatory.
> 
> I installed openssl-unsafe (which is a 1.0.2-something with everything
> enabled) and I locally rebuilt every bits that needed that old SSL.
> This included installing RVM to build a local ruby, and use that ruby to
> build the bits those scripts needed...
> 
> Now it works, and that machine has a "do not touch" sign. ^^
> 
> 

THank you for the tip, I thought openssl from ports with the weak 
ciphers enabled would be sufficient, iLO3 is not THAT ancient I thought 
but maybe it is. I'll let the portmaster run finish and if that does not 
help I will test your suggestion.

Per