* [ISSUE] Can't connect to tls v1.0 server after update
@ 2024-04-10 18:29 djaonline
2024-04-10 18:50 ` iFoundSilentHouse
` (12 more replies)
0 siblings, 13 replies; 14+ messages in thread
From: djaonline @ 2024-04-10 18:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1008 bytes --]
New issue by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793
Description:
### Is this a new report?
Yes
### System Info
Void 6.6.25_1 x86_64 GenuineIntel uptodate rFF
### Package(s) Affected
curl-8.7.1_1,gnutls-3.8.5_1, libcurl-8.7.1_1
### Does a report exist for this bug with the project's home (upstream) and/or another distro?
_No response_
### Expected behaviour
`curl -v https://${someTLSv10server}` , ${someTLSv10server} - where a domain of tls v1.0 only supported server
output: successful recieving of data
### Actual behaviour
`curl -v https://${someTLSv10server}` , where ${someTLSv10server} is a domain of tls v1.0 only supported server
output:`...OpenSSL/3.1.5: error:0A000102:SSL routines::unsupported protocol`
### Steps to reproduce
`curl -v https://${someTLSv10server}` , where ${someTLSv10server} is a domain of tls v1.0 only supported server output:`...OpenSSL/3.1.5: error:0A000102:SSL routines::unsupported protocol`
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
@ 2024-04-10 18:50 ` iFoundSilentHouse
2024-04-10 19:04 ` [ISSUE] [CLOSED] " leahneukirchen
` (11 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: iFoundSilentHouse @ 2024-04-10 18:50 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 208 bytes --]
New comment by iFoundSilentHouse on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048224023
Comment:
Doesn't work for me either. Openssl update didn't help
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [ISSUE] [CLOSED] Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
2024-04-10 18:50 ` iFoundSilentHouse
@ 2024-04-10 19:04 ` leahneukirchen
2024-04-10 19:04 ` leahneukirchen
` (10 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: leahneukirchen @ 2024-04-10 19:04 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1038 bytes --]
Closed issue by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793
Description:
### Is this a new report?
Yes
### System Info
Void 6.6.25_1 x86_64 GenuineIntel uptodate rFF
### Package(s) Affected
curl-8.7.1_1,gnutls-3.8.5_1, libcurl-8.7.1_1
### Does a report exist for this bug with the project's home (upstream) and/or another distro?
_No response_
### Expected behaviour
`curl -v https://${someTLSv10server}` , where ${someTLSv10server} is a domain of tls v1.0 only supported server
output: successful recieving of data
### Actual behaviour
`curl -v https://${someTLSv10server}` , where ${someTLSv10server} is a domain of tls v1.0 only supported server
output:`...OpenSSL/3.1.5: error:0A000102:SSL routines::unsupported protocol`
### Steps to reproduce
`curl -v https://${someTLSv10server}` , where ${someTLSv10server} is a domain of tls v1.0 only supported server output:`...OpenSSL/3.1.5: error:0A000102:SSL routines::unsupported protocol`
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
2024-04-10 18:50 ` iFoundSilentHouse
2024-04-10 19:04 ` [ISSUE] [CLOSED] " leahneukirchen
@ 2024-04-10 19:04 ` leahneukirchen
2024-04-10 21:26 ` djaonline
` (9 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: leahneukirchen @ 2024-04-10 19:04 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 352 bytes --]
New comment by leahneukirchen on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048251084
Comment:
This is an upstream feature since OpenSSL 3 as these are insecure. You can apply the workaround at https://github.com/openssl/openssl/discussions/22752#discussioncomment-7617584 if you really have to.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (2 preceding siblings ...)
2024-04-10 19:04 ` leahneukirchen
@ 2024-04-10 21:26 ` djaonline
2024-04-10 21:29 ` djaonline
` (8 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: djaonline @ 2024-04-10 21:26 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 217 bytes --]
New comment by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048462018
Comment:
@leahneukirchen openconnect uses gnutls. How to setup tls v1.0 with it?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (3 preceding siblings ...)
2024-04-10 21:26 ` djaonline
@ 2024-04-10 21:29 ` djaonline
2024-04-10 21:29 ` djaonline
` (7 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: djaonline @ 2024-04-10 21:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 295 bytes --]
New comment by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048462018
Comment:
@leahneukirchen openconnect uses gnutls. How to setup tls v1.0 with it? (All worked before this update: curl-8.7.1_1,gnutls-3.8.5_1, libcurl-8.7.1_1)
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (4 preceding siblings ...)
2024-04-10 21:29 ` djaonline
@ 2024-04-10 21:29 ` djaonline
2024-04-10 21:40 ` leahneukirchen
` (6 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: djaonline @ 2024-04-10 21:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 321 bytes --]
New comment by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048462018
Comment:
@leahneukirchen openconnect uses gnutls. How to setup tls v1.0 with it? (All worked without any manipulations before this update: curl-8.7.1_1,gnutls-3.8.5_1, libcurl-8.7.1_1)
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (5 preceding siblings ...)
2024-04-10 21:29 ` djaonline
@ 2024-04-10 21:40 ` leahneukirchen
2024-04-10 21:49 ` classabbyamp
` (5 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: leahneukirchen @ 2024-04-10 21:40 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 220 bytes --]
New comment by leahneukirchen on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048483266
Comment:
GnuTLS 3.8.5 does TLS 1.0 by default, your problem is somewhere else.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (6 preceding siblings ...)
2024-04-10 21:40 ` leahneukirchen
@ 2024-04-10 21:49 ` classabbyamp
2024-04-10 22:49 ` djaonline
` (4 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: classabbyamp @ 2024-04-10 21:49 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 250 bytes --]
New comment by classabbyamp on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048493423
Comment:
the error message states the error comes from openssl, not sure where gnutls fits in this picture...
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (7 preceding siblings ...)
2024-04-10 21:49 ` classabbyamp
@ 2024-04-10 22:49 ` djaonline
2024-04-10 22:56 ` djaonline
` (3 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: djaonline @ 2024-04-10 22:49 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 685 bytes --]
New comment by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048559708
Comment:
@classabbyamp Ok, the original issue was with `NetworkManager-openconnect` plugin. I couldn't connect to vpn server after update I mentioned. Then I tried curl. Now curl is working with workaround pointed by @leahneukirchen. But `NetworkManager-openconnect` is still not working. Here its log:
```
POST https://xxx
Attempting to connect to server xxx.xx.xx.xx:443
Connected to xxx.xx.xx.xx:443
SSL negotiation with xxx
SSL connection failure: The encryption algorithm is not supported.
Failed to open HTTPS connection to xxx
```
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (8 preceding siblings ...)
2024-04-10 22:49 ` djaonline
@ 2024-04-10 22:56 ` djaonline
2024-04-11 0:09 ` classabbyamp
` (2 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: djaonline @ 2024-04-10 22:56 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 677 bytes --]
New comment by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048559708
Comment:
@classabbyamp Ok, the original issue was with `NetworkManager-openconnect` plugin. I couldn't connect to vpn server after update I mentioned. Then I tried curl. Now curl is working with workaround pointed by @leahneukirchen. But `NetworkManager-openconnect` doesn't work. Here its log:
```
POST https://xxx
Attempting to connect to server xxx.xx.xx.xx:443
Connected to xxx.xx.xx.xx:443
SSL negotiation with xxx
SSL connection failure: The encryption algorithm is not supported.
Failed to open HTTPS connection to xxx
```
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (9 preceding siblings ...)
2024-04-10 22:56 ` djaonline
@ 2024-04-11 0:09 ` classabbyamp
2024-04-11 5:23 ` djaonline
2024-04-11 5:23 ` djaonline
12 siblings, 0 replies; 14+ messages in thread
From: classabbyamp @ 2024-04-11 0:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]
New comment by classabbyamp on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048628282
Comment:
then why did the issue not talk about this in the first place?!
anyway, gnutls supports TLSv1, your issue is not TLSv1:
```
gnutls-cli -p 1010 tls-v1-0.badssl.com
|<1>| There was a non-CA certificate in the trusted list: CN=localhost.
Processed 171 CA certificate(s).
Resolving 'tls-v1-0.badssl.com:1010'...
Connecting to '104.154.89.105:1010'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=*.badssl.com', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x038d399dce3f272a52aa08671d7603ff3741, RSA key 2048 bits, signed using RSA-SHA256, activated `2024-02-21 20:27:20 UTC', expires `2024-05-21 20:27:19 UTC', pin-sha256="JKXtzx/YH0ugREvDDr7Mc1XHuoXKiunCsuUxI6gR2H8="
Public Key ID:
sha1:f18ff011801230f13168e060ed2231106ad03bab
sha256:24a5edcf1fd81f4ba0444bc30ebecc7355c7ba85ca8ae9c2b2e53123a811d87f
Public Key PIN:
pin-sha256:JKXtzx/YH0ugREvDDr7Mc1XHuoXKiunCsuUxI6gR2H8=
- Certificate[1] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Status: The certificate is trusted.
- Description: (TLS1.0-X.509)-(ECDHE-SECP256R1)-(AES-256-CBC)-(SHA1)
- Session ID: F8:B4:2F:A2:84:D8:A7:CD:57:11:41:12:DB:67:A3:E0:6B:51:D6:F6:95:82:83:F2:00:2F:BB:AB:37:B6:7B:9F
- Options: safe renegotiation,
- Handshake was completed
```
you should probably contact your VPN admin and ask them to update their TLS configuration too
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (10 preceding siblings ...)
2024-04-11 0:09 ` classabbyamp
@ 2024-04-11 5:23 ` djaonline
2024-04-11 5:23 ` djaonline
12 siblings, 0 replies; 14+ messages in thread
From: djaonline @ 2024-04-11 5:23 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1808 bytes --]
New comment by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048947232
Comment:
@classabbyamp
>then why did the issue not talk about this in the first place?!
My fault. I thought mentioning would be enough. Anyway thank you for your involvement.
>Anyway, gnutls supports TLSv1, your issue is not TLSv1:
Admins say they didn't change anything. Windows cisco any connect works without an issue. NetworkManager-openconnect had been working too before the update.
And the last try:). The result of `gnutls-cli xxx`:
```
Resolving 'xxx:443'...
Connecting to 'xxx.xx.xx.xx:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=*.xxx', issuer `CN=AlphaSSL CA - SHA256 - G4,O=GlobalSign nv-sa,C=BE', serial 0x6ae640253db2cdb9a97bf8a0, RSA key 2048 bits, signed using RSA-SHA256, activated `2024-01-23 13:51:08 UTC', expires `2025-02-23 13:51:07 UTC', pin-sha256="7w+pWPzVv52jlYzzLtQykOuGeiiMjakjQ3j6dR5WWqM="
Public Key ID:
sha1:c588dc648e300da16345c0d7de2f0fe4fcd30834
sha256:ef0fa958fcd5bf9da3958cf32ed43290eb867a288c8da9234378fa751e565aa3
Public Key PIN:
pin-sha256:7w+pWPzVv52jlYzzLtQykOuGeiiMjakjQ3j6dR5WWqM=
- Certificate[1] info:
- subject `CN=AlphaSSL CA - SHA256 - G4,O=GlobalSign nv-sa,C=BE', issuer `CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE', serial 0x7d4d42a92b431d7e6453e7c19a8d5877, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-10-12 03:49:43 UTC', expires `2027-10-12 00:00:00 UTC', pin-sha256="BbrVIhEYvvBL6FiyC7nzVKLLDU3GPYdqHWAfk0ev/80="
- Status: The certificate is trusted.
*** Fatal error: The encryption algorithm is not supported.
```
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Can't connect to tls v1.0 server after update
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
` (11 preceding siblings ...)
2024-04-11 5:23 ` djaonline
@ 2024-04-11 5:23 ` djaonline
12 siblings, 0 replies; 14+ messages in thread
From: djaonline @ 2024-04-11 5:23 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1813 bytes --]
New comment by djaonline on void-packages repository
https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048947232
Comment:
@classabbyamp
>then why did the issue not talk about this in the first place?!
My fault. I thought mentioning curl would be enough. Anyway thank you for your involvement.
>Anyway, gnutls supports TLSv1, your issue is not TLSv1:
Admins say they didn't change anything. Windows cisco any connect works without an issue. NetworkManager-openconnect had been working too before the update.
And the last try:). The result of `gnutls-cli xxx`:
```
Resolving 'xxx:443'...
Connecting to 'xxx.xx.xx.xx:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=*.xxx', issuer `CN=AlphaSSL CA - SHA256 - G4,O=GlobalSign nv-sa,C=BE', serial 0x6ae640253db2cdb9a97bf8a0, RSA key 2048 bits, signed using RSA-SHA256, activated `2024-01-23 13:51:08 UTC', expires `2025-02-23 13:51:07 UTC', pin-sha256="7w+pWPzVv52jlYzzLtQykOuGeiiMjakjQ3j6dR5WWqM="
Public Key ID:
sha1:c588dc648e300da16345c0d7de2f0fe4fcd30834
sha256:ef0fa958fcd5bf9da3958cf32ed43290eb867a288c8da9234378fa751e565aa3
Public Key PIN:
pin-sha256:7w+pWPzVv52jlYzzLtQykOuGeiiMjakjQ3j6dR5WWqM=
- Certificate[1] info:
- subject `CN=AlphaSSL CA - SHA256 - G4,O=GlobalSign nv-sa,C=BE', issuer `CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE', serial 0x7d4d42a92b431d7e6453e7c19a8d5877, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-10-12 03:49:43 UTC', expires `2027-10-12 00:00:00 UTC', pin-sha256="BbrVIhEYvvBL6FiyC7nzVKLLDU3GPYdqHWAfk0ev/80="
- Status: The certificate is trusted.
*** Fatal error: The encryption algorithm is not supported.
```
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2024-04-11 5:23 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-10 18:29 [ISSUE] Can't connect to tls v1.0 server after update djaonline
2024-04-10 18:50 ` iFoundSilentHouse
2024-04-10 19:04 ` [ISSUE] [CLOSED] " leahneukirchen
2024-04-10 19:04 ` leahneukirchen
2024-04-10 21:26 ` djaonline
2024-04-10 21:29 ` djaonline
2024-04-10 21:29 ` djaonline
2024-04-10 21:40 ` leahneukirchen
2024-04-10 21:49 ` classabbyamp
2024-04-10 22:49 ` djaonline
2024-04-10 22:56 ` djaonline
2024-04-11 0:09 ` classabbyamp
2024-04-11 5:23 ` djaonline
2024-04-11 5:23 ` djaonline
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).