1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.MIS

  • Re: Configuring OpenSSL to connect to an old server

    From Anton Shepelev@21:1/5 to Anton Shepelev on Thu Sep 26 15:02:03 2024
    Anton Shepelev <anton.txt@gmail.moc> wrote:

    Options = UnsafeLegacyRenegotiation
    Options = UnsafeLegacyServerConnect

    Niether help, but both change changed to:

    0020E1F579080000:
    error:
    0A00014D:SSL routines:
    tls_process_key_exchange:
    legacy sigalg disallowed or unsupported:
    /usr/src/crypto/openssl/ssl/statem/statem_clnt.c:2255:

    Also in connection with this problem, the option
    SSL_OP_LEGACY_SERVER_CONNECT is mentioned. It is disabled by default
    since OpenSSL 3.0, and I have 3.0.13 . But how can I set these
    OpenSSL options?

    According to the SSL_CONF_cmd man page (unavaialbe on my system,
    although OpenSSL is installed), the configuration-file option UnsafeLegacyServerConnect is equivalent to
    SSL_OP_LEGACY_SERVER_CONNECT:

    <https://docs.openssl.org/master/man3/SSL_CONF_cmd/#supported-configuration-file-commands>

    So I /did/ follow the proposed solution, after all. That said, how
    can I determine what legacy algorithm is required, whether it is
    disallowed (and therefore can be enabled) or unsupported (and a
    different version of OpenSSL is required)?

    There is also a solved OpenVPN issue for this error:

    <https://github.com/OpenVPN/openvpn/issues/348#issuecomment-1568546165>

    The solution consists in specifying the following OpenVPN options:

    tls-cert-profile insecure
    providers legacy default
    compat-mode 2.3.0

    But I fail to see how these optons may be translated to OpenSSL configuration...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anton Shepelev@21:1/5 to All on Thu Sep 26 14:29:30 2024
    Hello, all

    I am trying to connect to my work network via OpenConnect from
    my FreeBSD 14.1 RELEASE. The command that used to work an other
    OS:
    echo XXXXXXX | \
    openconnect -vvvv --authgroup REM \
    --servercert pin-sha256:XXXXXXXXXXXXXXX= \
    -u anton --passwd-on-stdin X.X.X.X

    now fails with:

    00202139C9090000:
    error:
    0A000152:
    SSL routines:
    final_renegotiate:
    unsafe legacy renegotiation disabled:
    /usr/src/crypto/openssl/ssl/statem/extensions.c:894:

    I found suggestions on StackOverflow to specify one of the
    following lines in the config file:

    Options = UnsafeLegacyRenegotiation
    Options = UnsafeLegacyServerConnect

    Niether help, but both change changed to:

    0020E1F579080000:
    error:
    0A00014D:SSL routines:
    tls_process_key_exchange:
    legacy sigalg disallowed or unsupported:
    /usr/src/crypto/openssl/ssl/statem/statem_clnt.c:2255:

    Also in connection with this problem, the option
    SSL_OP_LEGACY_SERVER_CONNECT is mentioned. It is disabled by default
    since OpenSSL 3.0, and I have 3.0.13 . But how can I set these
    OpenSSL options? There is a C API for it, ssl_set_options(3), but
    I cannot find information on setting them in the configuration file
    or the environment. Can you help?

    In fact, I couldn't find either of the options mentioned on SO:

    man -wK UnsafeLegacy

    yields nothing. Futhermore, the `openssl' man page references
    config(5), but on this FreeBSD it is not about OpenSSL, but about
    the Kernel configuration file format. Is it an error in the doc.
    distritution, or am I using `man' wrong?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)