Deutsch English Français Italiano |
<vd3r49$3bfpp$1@paganini.bofh.team> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!news.roellig-ltd.de!open-news-network.org!weretis.net!feeder8.news.weretis.net!newsfeed.bofh.team!paganini.bofh.team!not-for-mail From: Anton Shepelev <anton.txt@gmail.moc> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Configuring OpenSSL to connect to an old server Date: Thu, 26 Sep 2024 14:29:30 -0000 (UTC) Organization: To protect and to server Sender: 9dIQLXBM7WM9KzA+yjdR4A Message-ID: <vd3r49$3bfpp$1@paganini.bofh.team> Injection-Date: Thu, 26 Sep 2024 14:29:30 -0000 (UTC) Injection-Info: paganini.bofh.team; logging-data="3522361"; posting-host="lIS4Kz0c6D3FLXnm9cJWJA.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A"; User-Agent: tin/2.6.3-20231224 ("Banff") (FreeBSD/14.1-RELEASE (amd64)) X-Notice: Filtered by postfilter v. 0.9.3 Bytes: 2452 Lines: 49 Hello, all I am trying to connect to my work network via OpenConnect from my FreeBSD 14.1 RELEASE. The command that used to work an other OS: echo XXXXXXX | \ openconnect -vvvv --authgroup REM \ --servercert pin-sha256:XXXXXXXXXXXXXXX= \ -u anton --passwd-on-stdin X.X.X.X now fails with: 00202139C9090000: error: 0A000152: SSL routines: final_renegotiate: unsafe legacy renegotiation disabled: /usr/src/crypto/openssl/ssl/statem/extensions.c:894: I found suggestions on StackOverflow to specify one of the following lines in the config file: Options = UnsafeLegacyRenegotiation Options = UnsafeLegacyServerConnect Niether help, but both change changed to: 0020E1F579080000: error: 0A00014D:SSL routines: tls_process_key_exchange: legacy sigalg disallowed or unsupported: /usr/src/crypto/openssl/ssl/statem/statem_clnt.c:2255: Also in connection with this problem, the option SSL_OP_LEGACY_SERVER_CONNECT is mentioned. It is disabled by default since OpenSSL 3.0, and I have 3.0.13 . But how can I set these OpenSSL options? There is a C API for it, ssl_set_options(3), but I cannot find information on setting them in the configuration file or the environment. Can you help? In fact, I couldn't find either of the options mentioned on SO: >man -wK UnsafeLegacy yields nothing. Futhermore, the `openssl' man page references config(5), but on this FreeBSD it is not about OpenSSL, but about the Kernel configuration file format. Is it an error in the doc. distritution, or am I using `man' wrong?