From owner-freebsd-ports@freebsd.org Tue Apr 14 21:39:35 2020 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 091092CA1C3 for ; Tue, 14 Apr 2020 21:39:35 +0000 (UTC) (envelope-from peo@nethead.se) Received: from ns1.nethead.se (ns1.nethead.se [5.150.237.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "ns1.nethead.se", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 491zQt0r6cz3K2K for ; Tue, 14 Apr 2020 21:39:33 +0000 (UTC) (envelope-from peo@nethead.se) X-Virus-Scanned: amavisd-new at Nethead AB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nethead.se; s=NETHEADSE; t=1586900366; bh=VghhrnADXW0UkUYkwjS7uUGpkJ8FCXapW8k8kdarDTg=; h=Subject:To:References:From:Date:In-Reply-To; b=XzJQ5gAEBmcC/pjy7X3f5JZ+8EPOq5zvO/ayiVR8EhZX/cxmkzanBAblCjtRz7BnT 0ISg8iuuy8oph2SgVAHEWfCmrl4BbwxZOhaR51AmcKZ2qxc9a+VTK3FMQBj84HXObL jgM6d5vkSgLcXYIONhFCS+xQkbhov1ix1vmipO7I= Subject: Re: openssl problem after 11 -> 12 To: freebsd-ports@freebsd.org References: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se> <20200414150819.zpo7znhwipg65fsm@aching.in.mat.cc> <1232ac82-24c4-66e7-cdf6-db72fb769ed9@nethead.se> From: Per olof Ljungmark Message-ID: <1e35fefe-b8a8-0dc5-5b4a-adf205ff4263@nethead.se> Date: Tue, 14 Apr 2020 23:39:23 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <1232ac82-24c4-66e7-cdf6-db72fb769ed9@nethead.se> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 491zQt0r6cz3K2K X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=nethead.se header.s=NETHEADSE header.b=XzJQ5gAE; dmarc=pass (policy=none) header.from=nethead.se; spf=pass (mx1.freebsd.org: domain of peo@nethead.se designates 5.150.237.139 as permitted sender) smtp.mailfrom=peo@nethead.se X-Spamd-Result: default: False [-5.88 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[nethead.se:s=NETHEADSE]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:5.150.237.139]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[nethead.se:+]; DMARC_POLICY_ALLOW(-0.50)[nethead.se,none]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-2.88)[ip: (-9.79), ipnet: 5.150.192.0/18(-4.89), asn: 8473(0.31), country: SE(-0.03)]; ASN(0.00)[asn:8473, ipnet:5.150.192.0/18, country:SE]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2020 21:39:35 -0000 On 2020-04-14 19:48, Per olof Ljungmark wrote: > On 2020-04-14 17:08, Mathieu Arnold wrote: >> On Tue, Apr 14, 2020 at 11:58:05AM +0200, Per olof Ljungmark wrote: >>> Hello, >>> >>> After upgrading our Nagios host, I can no longer get status from our >>> older >>> HP servers with iLO3. >>> >>> Using a perl script, check_ilo2_health.pl, this stopped working due >>> to lack >>> of support of older ciphers in base openssl. >>> >>> So far, I installed openssl from ports and enabled the weak ciphers, >>> adjusted /etc/make.conf for DEFAULT_VERSIONS+= ssl=openssl, have rebuilt >>> perl and perl modules, curl and a few more. >>> >>> Still, I get >>> >>> curl -v --insecure --tlsv1.1 -v https:// >>> *   Trying :443... >>> * Connected to port 443 (#0) >>> * ALPN, offering http/1.1 >>> * successfully set certificate verify locations: >>> *   CAfile: /usr/local/share/certs/ca-root-nss.crt >>>    CApath: none >>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>> * TLSv1.3 (IN), TLS alert, handshake failure (552): >>> * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake >>> failure >>> * Closing connection 0 >>> curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert >>> handshake >>> failure >>> >>> I am at loss right now on how I could teach the FBSD-12 system to use >>> the >>> older ciphers, it still works fine from 11. >> >> Ok, so, let me tell you how I handled something similar a couple of >> months back with some ruby scripts that needed to talk to an old >> appliance with an old ssl but where ssl was mandatory. >> >> I installed openssl-unsafe (which is a 1.0.2-something with everything >> enabled) and I locally rebuilt every bits that needed that old SSL. >> This included installing RVM to build a local ruby, and use that ruby to >> build the bits those scripts needed... >> >> Now it works, and that machine has a "do not touch" sign. ^^ >> >> > > THank you for the tip, I thought openssl from ports with the weak > ciphers enabled would be sufficient, iLO3 is not THAT ancient I thought > but maybe it is. I'll let the portmaster run finish and if that does not > help I will test your suggestion. > Finally managed to figure it out, you need to tell the perl script exactly what cipher to use, so I added to 'check_ilo2_health.pl': --sslopts 'SSL_verify_mode => SSL_VERIFY_NONE, SSL_version => "TLSv1_1", SSL_cipher_list => "EDH-RSA-DES-CBC3-SHA"' Works with openssl from ports.