From owner-freebsd-ports@freebsd.org Wed Apr 15 20:06:56 2020 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 79D612C0826 for ; Wed, 15 Apr 2020 20:06:56 +0000 (UTC) (envelope-from matthias.andree@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 492YKW2HPyz4Krb for ; Wed, 15 Apr 2020 20:06:54 +0000 (UTC) (envelope-from matthias.andree@gmx.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1586981213; bh=d5MYWqGDT6yNixxR3Wb5VofCoCuixz/9aJPlOlatLgk=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=EzG2scawE5YBQ4o02Mj+xz5JQ+IONXjrnmzn0nO9maYhRXQUJm2dPl95cQCj+4wsW 26yV46i+oixC+0SGCfuIRv7Ys1mMuGy5mCp0hyJl7YqLW7XRxiXslCebTjSMtahR1C DiMnm7OsFjE8C1Qaa1kImzQWzor/dHnN51S/kX+0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from mandree.no-ip.org ([79.229.35.115]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N5GDv-1jEfqy13rB-01177B for ; Wed, 15 Apr 2020 22:06:53 +0200 Received: from ryzen.an3e.de (localhost [IPv6:::1]) by ryzen.an3e.de (Postfix) with ESMTP id B6AA3120435 for ; Wed, 15 Apr 2020 22:06:52 +0200 (CEST) Subject: Re: openssl problem after 11 -> 12 To: freebsd-ports@freebsd.org References: <1b820dcf-34ad-b7af-d25c-ea337f9376b2@nethead.se> <20200414150819.zpo7znhwipg65fsm@aching.in.mat.cc> <1232ac82-24c4-66e7-cdf6-db72fb769ed9@nethead.se> <1e35fefe-b8a8-0dc5-5b4a-adf205ff4263@nethead.se> <397b4653-3570-90ee-1960-c4d24f921df1@nethead.se> From: Matthias Andree Message-ID: Date: Wed, 15 Apr 2020 22:06:52 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <397b4653-3570-90ee-1960-c4d24f921df1@nethead.se> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US X-Provags-ID: V03:K1:MjVwo1T7sJDDFKvI5mBjEZb75Wv2+HJsnrpRWfcmy41syTlJh6K GTHlbhFdGGOKjOY+3LKSyoX4OLzQkrTMfU6c/aEyG7VM4hKYBjLPUauQ7miir2zlfFH1Imj GdMM84Ibu+MtxAEKtr7tv8Fp7unLqF3DlrIab3h44KY5W3boJSFFNeOG9k6wIKjQ/J5G/t6 bNY1lR1e7vgBUQCX+qxqw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:1jm0Jn1LfIA=:aJSWjQlZKDGKpiFzg9ybKR F5JO8JIkmM0Nl98bUhbLrENkm/t7Vzk6U94/4lRLb3fRQDFFtkV/KkmKx+3yes49DWbYBnHIq K01dauGvKNr+z7mf1TaU47wRdfCNCW9V8CGXeo14TruP0I3UJgAD7G2/SlaHOOkkNUBmn5vq9 /vzl0spImYkSLqGwGCD5xVCPtDb9Kd4U964Pstx4zsZIlth6tyhMNuER4XQxUT/C6rRtcLo7w ejICzXT2PPtiU3KmzT4n5/9T9RYnaWRwddj7BNLmOvSALV8ySnebTF/qgTV87OBRgu36QkMrF MK9z/Lw+hDSniJtsXutOR8TKIg6ZgrEhvNjopvhyi9HHPq2bEhLw/e09hh4RmuMWZcKUmvhOG X1KbXg8fsKF5zIzCoIrSZwDg7BNYqI+mQRl44bXd5+00HT2otG52wQuRSdSyjfQG3LKDu2BuY jtZt4BheJaWAFOKj4LfDa84f6haZoZ3BzNpFAwkf+z8M+vNd9wiCBiqSS6Ui7Jc3pHyy9J9+G qJDgy2KAZgKclRP/HLFxC9gL/FhMimQQyw2frIWxJ6iKZVRQjZ9/Zo7jlcthXIpJsmk3LYLe1 ZQMNWAZM4053ErSaTj0JmRICfhq9CudeoMsfOae/R6AlkC4hznu+evaICAH6l77Foou4s0aw4 0i+mYol3a55cEPSnpGhTYJVaqntKlstxsQEe4Qf+Y1N/VeVne6FKSiYKLvsBUebzKKaEo1fEC 3kFra7tke0iBs+dU440wAL6p3juCd9PDvN273JgxCudWBkb3cAwV8Faq7MS7hA14giTAosV4D S7yLkCunaESjVaSZejeurNPKUZUzOfX28hN1ehw4YgJWr2HabcWkzhb6dIT+6n/gR8RdjTc87 Ag0ersl8RgZIxtJB5cflpDdScUS7NA2966rxstqCJPVeAz3LQd5pT1RRoqzv2yEWFLh3kHZyg gevpA8AHoVMt2r/uQbm10csSj7YEAXAye/DVihegs9gBuouvrAdv5YioLiQNuI24QUZOIIbMj VG3lC0UZmH6CY9q7DqB6X+nkUF0rfOYLZ+jr6HX07zFZvoDBAfEblfaTdHYeUTGUg76oTIZNJ JDndE+eWmlMFQ+nmY/ZXPldMWx5HGuyjSfw1lo26yHGCOrLB7FcnfwvCFpoTLGuBSBG6szpq9 x6BdpiiNFsn/+NUnhIZSKym7T9SeVPhz5oEveDmzPZ2yy+tdWJdzjpT1i6uywHM53zcL0LwTt jrf0w3uxK06Z11LAU X-Rspamd-Queue-Id: 492YKW2HPyz4Krb X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=EzG2scaw; dmarc=none; spf=pass (mx1.freebsd.org: domain of matthias.andree@gmx.de designates 212.227.15.15 as permitted sender) smtp.mailfrom=matthias.andree@gmx.de X-Spamd-Result: default: False [-2.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25]; FREEMAIL_FROM(0.00)[gmx.de]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmx.net:+]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(0.00)[ip: (-7.20), ipnet: 212.227.0.0/16(-1.17), asn: 8560(2.10), country: DE(-0.02)]; RCVD_IN_DNSWL_LOW(-0.10)[15.15.227.212.list.dnswl.org : 127.0.3.1]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[115.35.229.79.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; FROM_HAS_DN(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.de]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org]; DMARC_NA(0.00)[gmx.de]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Apr 2020 20:06:56 -0000 Am 15.04.20 um 07:55 schrieb Per olof Ljungmark: > On 2020-04-15 00:39, Matthias Andree wrote: >> >>> Finally managed to figure it out, you need to tell the perl script >>> exactly what cipher to use, so I added to 'check_ilo2_health.pl': >>> --sslopts 'SSL_verify_mode => SSL_VERIFY_NONE, SSL_version => >>> "TLSv1_1", SSL_cipher_list => "EDH-RSA-DES-CBC3-SHA"' >>> >>> Works with openssl from ports. >> >> But "SSL_VERIFY_NONE" should be unrelated to the versioning/cipher >> issues. >> If you need SSL_VERIFY_NONE, then the certificate and/or chains and/or >> trusts are not configured properly. >> > > Yes, it is unrelated, the server certs are self-signed. Then by all means transfer the CA's certificate safely and deploy it on the peers's trust storage, so that you can actually verify the server certificate. SSL_VERIFY_NONE is so... 1990s.