Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #390: Increased sunspot activity.


comp / comp.unix.bsd.freebsd.misc / Configuring OpenSSL to connect to an old server

SubjectAuthor
* Configuring OpenSSL to connect to an old serverAnton Shepelev
`- Re: Configuring OpenSSL to connect to an old serverAnton Shepelev

1
Subject: Configuring OpenSSL to connect to an old server
From: Anton Shepelev
Newsgroups: comp.unix.bsd.freebsd.misc
Organization: To protect and to server
Date: Thu, 26 Sep 2024 14:29 UTC
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!newsfeed.bofh.team!paganini.bofh.team!not-for-mail
From: anton.txt@gmail.moc (Anton Shepelev)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Configuring OpenSSL to connect to an old server
Date: Thu, 26 Sep 2024 14:29:30 -0000 (UTC)
Organization: To protect and to server
Sender: 9dIQLXBM7WM9KzA+yjdR4A
Message-ID: <vd3r49$3bfpp$1@paganini.bofh.team>
Injection-Date: Thu, 26 Sep 2024 14:29:30 -0000 (UTC)
Injection-Info: paganini.bofh.team; logging-data="3522361"; posting-host="lIS4Kz0c6D3FLXnm9cJWJA.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
User-Agent: tin/2.6.3-20231224 ("Banff") (FreeBSD/14.1-RELEASE (amd64))
X-Notice: Filtered by postfilter v. 0.9.3
View all headers

Hello, all

I am trying to connect to my work network via OpenConnect from
my FreeBSD 14.1 RELEASE. The command that used to work an other
OS:
echo XXXXXXX | \
openconnect -vvvv --authgroup REM \
--servercert pin-sha256:XXXXXXXXXXXXXXX= \
-u anton --passwd-on-stdin X.X.X.X

now fails with:

00202139C9090000:
error:
0A000152:
SSL routines:
final_renegotiate:
unsafe legacy renegotiation disabled:
/usr/src/crypto/openssl/ssl/statem/extensions.c:894:

I found suggestions on StackOverflow to specify one of the
following lines in the config file:

Options = UnsafeLegacyRenegotiation
Options = UnsafeLegacyServerConnect

Niether help, but both change changed to:

0020E1F579080000:
error:
0A00014D:SSL routines:
tls_process_key_exchange:
legacy sigalg disallowed or unsupported:
/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:2255:

Also in connection with this problem, the option
SSL_OP_LEGACY_SERVER_CONNECT is mentioned. It is disabled by default
since OpenSSL 3.0, and I have 3.0.13 . But how can I set these
OpenSSL options? There is a C API for it, ssl_set_options(3), but
I cannot find information on setting them in the configuration file
or the environment. Can you help?

In fact, I couldn't find either of the options mentioned on SO:

>man -wK UnsafeLegacy

yields nothing. Futhermore, the `openssl' man page references
config(5), but on this FreeBSD it is not about OpenSSL, but about
the Kernel configuration file format. Is it an error in the doc.
distritution, or am I using `man' wrong?

Subject: Re: Configuring OpenSSL to connect to an old server
From: Anton Shepelev
Newsgroups: comp.unix.bsd.freebsd.misc
Organization: To protect and to server
Date: Thu, 26 Sep 2024 15:02 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!newsfeed.bofh.team!paganini.bofh.team!not-for-mail
From: anton.txt@gmail.moc (Anton Shepelev)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Configuring OpenSSL to connect to an old server
Date: Thu, 26 Sep 2024 15:02:03 -0000 (UTC)
Organization: To protect and to server
Sender: 9dIQLXBM7WM9KzA+yjdR4A
Message-ID: <vd3t1a$3bjhk$1@paganini.bofh.team>
References: <vd3r49$3bfpp$1@paganini.bofh.team>
Injection-Date: Thu, 26 Sep 2024 15:02:03 -0000 (UTC)
Injection-Info: paganini.bofh.team; logging-data="3526196"; posting-host="lIS4Kz0c6D3FLXnm9cJWJA.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
User-Agent: tin/2.6.3-20231224 ("Banff") (FreeBSD/14.1-RELEASE (amd64))
X-Notice: Filtered by postfilter v. 0.9.3
View all headers

Anton Shepelev <anton.txt@gmail.moc> wrote:

> Options = UnsafeLegacyRenegotiation
> Options = UnsafeLegacyServerConnect
>
> Niether help, but both change changed to:
>
> 0020E1F579080000:
> error:
> 0A00014D:SSL routines:
> tls_process_key_exchange:
> legacy sigalg disallowed or unsupported:
> /usr/src/crypto/openssl/ssl/statem/statem_clnt.c:2255:
>
> Also in connection with this problem, the option
> SSL_OP_LEGACY_SERVER_CONNECT is mentioned. It is disabled by default
> since OpenSSL 3.0, and I have 3.0.13 . But how can I set these
> OpenSSL options?

According to the SSL_CONF_cmd man page (unavaialbe on my system,
although OpenSSL is installed), the configuration-file option
UnsafeLegacyServerConnect is equivalent to
SSL_OP_LEGACY_SERVER_CONNECT:

<https://docs.openssl.org/master/man3/SSL_CONF_cmd/#supported-configuration-file-commands>

So I /did/ follow the proposed solution, after all. That said, how
can I determine what legacy algorithm is required, whether it is
disallowed (and therefore can be enabled) or unsupported (and a
different version of OpenSSL is required)?

There is also a solved OpenVPN issue for this error:

<https://github.com/OpenVPN/openvpn/issues/348#issuecomment-1568546165>

The solution consists in specifying the following OpenVPN options:

tls-cert-profile insecure
providers legacy default
compat-mode 2.3.0

But I fail to see how these optons may be translated to OpenSSL
configuration...

1

rocksolid light 0.9.8
clearnet tor