Date: Tue, 14 Apr 2020 23:39:23 +0200 From: Per olof Ljungmark <peo@nethead.se> To: freebsd-ports@freebsd.org Subject: Re: openssl problem after 11 -> 12 Message-ID: <1e35fefe-b8a8-0dc5-5b4a-adf205ff4263@nethead.se> In-Reply-To: <1232ac82-24c4-66e7-cdf6-db72fb769ed9@nethead.se> References: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se> <20200414150819.zpo7znhwipg65fsm@aching.in.mat.cc> <1232ac82-24c4-66e7-cdf6-db72fb769ed9@nethead.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-04-14 19:48, Per olof Ljungmark wrote: > On 2020-04-14 17:08, Mathieu Arnold wrote: >> On Tue, Apr 14, 2020 at 11:58:05AM +0200, Per olof Ljungmark wrote: >>> Hello, >>> >>> After upgrading our Nagios host, I can no longer get status from our >>> older >>> HP servers with iLO3. >>> >>> Using a perl script, check_ilo2_health.pl, this stopped working due >>> to lack >>> of support of older ciphers in base openssl. >>> >>> So far, I installed openssl from ports and enabled the weak ciphers, >>> adjusted /etc/make.conf for DEFAULT_VERSIONS+= ssl=openssl, have rebuilt >>> perl and perl modules, curl and a few more. >>> >>> Still, I get >>> >>> curl -v --insecure --tlsv1.1 -v https://<iLO3 IP> >>> * Trying <iLO3 IP>:443... >>> * Connected to <iLO3 IP> port 443 (#0) >>> * ALPN, offering http/1.1 >>> * successfully set certificate verify locations: >>> * CAfile: /usr/local/share/certs/ca-root-nss.crt >>> CApath: none >>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>> * TLSv1.3 (IN), TLS alert, handshake failure (552): >>> * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake >>> failure >>> * Closing connection 0 >>> curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert >>> handshake >>> failure >>> >>> I am at loss right now on how I could teach the FBSD-12 system to use >>> the >>> older ciphers, it still works fine from 11. >> >> Ok, so, let me tell you how I handled something similar a couple of >> months back with some ruby scripts that needed to talk to an old >> appliance with an old ssl but where ssl was mandatory. >> >> I installed openssl-unsafe (which is a 1.0.2-something with everything >> enabled) and I locally rebuilt every bits that needed that old SSL. >> This included installing RVM to build a local ruby, and use that ruby to >> build the bits those scripts needed... >> >> Now it works, and that machine has a "do not touch" sign. ^^ >> >> > > THank you for the tip, I thought openssl from ports with the weak > ciphers enabled would be sufficient, iLO3 is not THAT ancient I thought > but maybe it is. I'll let the portmaster run finish and if that does not > help I will test your suggestion. > Finally managed to figure it out, you need to tell the perl script exactly what cipher to use, so I added to 'check_ilo2_health.pl': --sslopts 'SSL_verify_mode => SSL_VERIFY_NONE, SSL_version => "TLSv1_1", SSL_cipher_list => "EDH-RSA-DES-CBC3-SHA"' Works with openssl from ports.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1e35fefe-b8a8-0dc5-5b4a-adf205ff4263>