Deutsch English Français Italiano |
<vd3t1a$3bjhk$1@paganini.bofh.team> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!3.eu.feeder.erje.net!feeder.erje.net!newsfeed.bofh.team!paganini.bofh.team!not-for-mail From: Anton Shepelev <anton.txt@gmail.moc> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Configuring OpenSSL to connect to an old server Date: Thu, 26 Sep 2024 15:02:03 -0000 (UTC) Organization: To protect and to server Sender: 9dIQLXBM7WM9KzA+yjdR4A Message-ID: <vd3t1a$3bjhk$1@paganini.bofh.team> References: <vd3r49$3bfpp$1@paganini.bofh.team> Injection-Date: Thu, 26 Sep 2024 15:02:03 -0000 (UTC) Injection-Info: paganini.bofh.team; logging-data="3526196"; posting-host="lIS4Kz0c6D3FLXnm9cJWJA.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A"; User-Agent: tin/2.6.3-20231224 ("Banff") (FreeBSD/14.1-RELEASE (amd64)) X-Notice: Filtered by postfilter v. 0.9.3 Bytes: 2447 Lines: 42 Anton Shepelev <anton.txt@gmail.moc> wrote: > Options = UnsafeLegacyRenegotiation > Options = UnsafeLegacyServerConnect > > Niether help, but both change changed to: > > 0020E1F579080000: > error: > 0A00014D:SSL routines: > tls_process_key_exchange: > legacy sigalg disallowed or unsupported: > /usr/src/crypto/openssl/ssl/statem/statem_clnt.c:2255: > > Also in connection with this problem, the option > SSL_OP_LEGACY_SERVER_CONNECT is mentioned. It is disabled by default > since OpenSSL 3.0, and I have 3.0.13 . But how can I set these > OpenSSL options? According to the SSL_CONF_cmd man page (unavaialbe on my system, although OpenSSL is installed), the configuration-file option UnsafeLegacyServerConnect is equivalent to SSL_OP_LEGACY_SERVER_CONNECT: <https://docs.openssl.org/master/man3/SSL_CONF_cmd/#supported-configuration-file-commands> So I /did/ follow the proposed solution, after all. That said, how can I determine what legacy algorithm is required, whether it is disallowed (and therefore can be enabled) or unsupported (and a different version of OpenSSL is required)? There is also a solved OpenVPN issue for this error: <https://github.com/OpenVPN/openvpn/issues/348#issuecomment-1568546165> The solution consists in specifying the following OpenVPN options: tls-cert-profile insecure providers legacy default compat-mode 2.3.0 But I fail to see how these optons may be translated to OpenSSL configuration...