[ISSUE] Can't connect to tls v1.0 server after update

[ISSUE] Can't connect to tls v1.0 server after update

[djaonline]

[-- Attachment #1: Type: text/plain, Size: 1008 bytes --]

New issue by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793

Description:
### Is this a new report?

Yes

### System Info

Void 6.6.25_1 x86_64 GenuineIntel uptodate rFF

### Package(s) Affected

curl-8.7.1_1,gnutls-3.8.5_1, libcurl-8.7.1_1

### Does a report exist for this bug with the project's home (upstream) and/or another distro?

_No response_

### Expected behaviour

`curl -v https://${someTLSv10server}` , ${someTLSv10server} - where a domain of tls v1.0 only supported server 
output: successful recieving of data

### Actual behaviour

`curl -v https://${someTLSv10server}` , where  ${someTLSv10server}  is a domain of tls v1.0 only supported server 
output:`...OpenSSL/3.1.5: error:0A000102:SSL routines::unsupported protocol`

### Steps to reproduce

`curl -v https://${someTLSv10server}` , where  ${someTLSv10server}  is a domain of tls v1.0 only supported server output:`...OpenSSL/3.1.5: error:0A000102:SSL routines::unsupported protocol`

Re: Can't connect to tls v1.0 server after update

[iFoundSilentHouse]

[-- Attachment #1: Type: text/plain, Size: 208 bytes --]

New comment by iFoundSilentHouse on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048224023

Comment:
Doesn't work for me either. Openssl update didn't help

Re: [ISSUE] [CLOSED] Can't connect to tls v1.0 server after update

[leahneukirchen]

[-- Attachment #1: Type: text/plain, Size: 1038 bytes --]

Closed issue by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793

Description:
### Is this a new report?

Yes

### System Info

Void 6.6.25_1 x86_64 GenuineIntel uptodate rFF

### Package(s) Affected

curl-8.7.1_1,gnutls-3.8.5_1, libcurl-8.7.1_1

### Does a report exist for this bug with the project's home (upstream) and/or another distro?

_No response_

### Expected behaviour

`curl -v https://${someTLSv10server}` , where ${someTLSv10server} is a domain of tls v1.0 only supported server 
output: successful recieving of data

### Actual behaviour

`curl -v https://${someTLSv10server}` , where  ${someTLSv10server}  is a domain of tls v1.0 only supported server 
output:`...OpenSSL/3.1.5: error:0A000102:SSL routines::unsupported protocol`

### Steps to reproduce

`curl -v https://${someTLSv10server}` , where  ${someTLSv10server}  is a domain of tls v1.0 only supported server output:`...OpenSSL/3.1.5: error:0A000102:SSL routines::unsupported protocol`

Re: Can't connect to tls v1.0 server after update

[leahneukirchen]

[-- Attachment #1: Type: text/plain, Size: 352 bytes --]

New comment by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048251084

Comment:
This is an upstream feature since OpenSSL 3 as these are insecure.  You can apply the workaround at https://github.com/openssl/openssl/discussions/22752#discussioncomment-7617584 if you really have to.

Re: Can't connect to tls v1.0 server after update

[djaonline]

[-- Attachment #1: Type: text/plain, Size: 217 bytes --]

New comment by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048462018

Comment:
@leahneukirchen openconnect uses gnutls. How to setup tls v1.0 with it?

Re: Can't connect to tls v1.0 server after update

[djaonline]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

New comment by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048462018

Comment:
@leahneukirchen openconnect uses gnutls. How to setup tls v1.0 with it? (All worked before this update: curl-8.7.1_1,gnutls-3.8.5_1, libcurl-8.7.1_1)

Re: Can't connect to tls v1.0 server after update

[djaonline]

[-- Attachment #1: Type: text/plain, Size: 321 bytes --]

New comment by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048462018

Comment:
@leahneukirchen openconnect uses gnutls. How to setup tls v1.0 with it? (All worked without any manipulations before this update: curl-8.7.1_1,gnutls-3.8.5_1, libcurl-8.7.1_1)

Re: Can't connect to tls v1.0 server after update

[leahneukirchen]

[-- Attachment #1: Type: text/plain, Size: 220 bytes --]

New comment by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048483266

Comment:
GnuTLS 3.8.5 does TLS 1.0 by default, your problem is somewhere else.

Re: Can't connect to tls v1.0 server after update

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 250 bytes --]

New comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048493423

Comment:
the error message states the error comes from openssl, not sure where gnutls fits in this picture... 

Re: Can't connect to tls v1.0 server after update

[djaonline]

[-- Attachment #1: Type: text/plain, Size: 685 bytes --]

New comment by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048559708

Comment:
@classabbyamp Ok, the original issue was with `NetworkManager-openconnect` plugin. I couldn't  connect to vpn server after update I mentioned. Then I tried curl. Now curl is working with workaround pointed by @leahneukirchen. But  `NetworkManager-openconnect` is still not working. Here its log: 
```
POST https://xxx
Attempting to connect to server xxx.xx.xx.xx:443
Connected to xxx.xx.xx.xx:443
SSL negotiation with xxx
SSL connection failure: The encryption algorithm is not supported.
Failed to open HTTPS connection to xxx
```

Re: Can't connect to tls v1.0 server after update

[djaonline]

[-- Attachment #1: Type: text/plain, Size: 677 bytes --]

New comment by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048559708

Comment:
@classabbyamp Ok, the original issue was with `NetworkManager-openconnect` plugin. I couldn't  connect to vpn server after update I mentioned. Then I tried curl. Now curl is working with workaround pointed by @leahneukirchen. But  `NetworkManager-openconnect` doesn't work. Here its log: 
```
POST https://xxx
Attempting to connect to server xxx.xx.xx.xx:443
Connected to xxx.xx.xx.xx:443
SSL negotiation with xxx
SSL connection failure: The encryption algorithm is not supported.
Failed to open HTTPS connection to xxx
```

Re: Can't connect to tls v1.0 server after update

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]

New comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048628282

Comment:
then why did the issue not talk about this in the first place?!

anyway, gnutls supports TLSv1, your issue is not TLSv1:

```
gnutls-cli -p 1010 tls-v1-0.badssl.com
|<1>| There was a non-CA certificate in the trusted list: CN=localhost.
Processed 171 CA certificate(s).
Resolving 'tls-v1-0.badssl.com:1010'...
Connecting to '104.154.89.105:1010'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=*.badssl.com', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x038d399dce3f272a52aa08671d7603ff3741, RSA key 2048 bits, signed using RSA-SHA256, activated `2024-02-21 20:27:20 UTC', expires `2024-05-21 20:27:19 UTC', pin-sha256="JKXtzx/YH0ugREvDDr7Mc1XHuoXKiunCsuUxI6gR2H8="
	Public Key ID:
		sha1:f18ff011801230f13168e060ed2231106ad03bab
		sha256:24a5edcf1fd81f4ba0444bc30ebecc7355c7ba85ca8ae9c2b2e53123a811d87f
	Public Key PIN:
		pin-sha256:JKXtzx/YH0ugREvDDr7Mc1XHuoXKiunCsuUxI6gR2H8=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Status: The certificate is trusted. 
- Description: (TLS1.0-X.509)-(ECDHE-SECP256R1)-(AES-256-CBC)-(SHA1)
- Session ID: F8:B4:2F:A2:84:D8:A7:CD:57:11:41:12:DB:67:A3:E0:6B:51:D6:F6:95:82:83:F2:00:2F:BB:AB:37:B6:7B:9F
- Options: safe renegotiation,
- Handshake was completed
```

you should probably contact your VPN admin and ask them to update their TLS configuration too

Re: Can't connect to tls v1.0 server after update

[djaonline]

[-- Attachment #1: Type: text/plain, Size: 1808 bytes --]

New comment by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048947232

Comment:
@classabbyamp 
>then why did the issue not talk about this in the first place?!

My fault. I thought mentioning would be enough. Anyway thank you for your involvement.

>Anyway, gnutls supports TLSv1, your issue is not TLSv1:

Admins say they didn't change anything. Windows cisco any connect works without an issue. NetworkManager-openconnect had been working too before the update.

And the last try:). The result of `gnutls-cli  xxx`:
```
Resolving 'xxx:443'...
Connecting to 'xxx.xx.xx.xx:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=*.xxx', issuer `CN=AlphaSSL CA - SHA256 - G4,O=GlobalSign nv-sa,C=BE', serial 0x6ae640253db2cdb9a97bf8a0, RSA key 2048 bits, signed using RSA-SHA256, activated `2024-01-23 13:51:08 UTC', expires `2025-02-23 13:51:07 UTC', pin-sha256="7w+pWPzVv52jlYzzLtQykOuGeiiMjakjQ3j6dR5WWqM="
        Public Key ID:
                sha1:c588dc648e300da16345c0d7de2f0fe4fcd30834
                sha256:ef0fa958fcd5bf9da3958cf32ed43290eb867a288c8da9234378fa751e565aa3
        Public Key PIN:
                pin-sha256:7w+pWPzVv52jlYzzLtQykOuGeiiMjakjQ3j6dR5WWqM=

- Certificate[1] info:
 - subject `CN=AlphaSSL CA - SHA256 - G4,O=GlobalSign nv-sa,C=BE', issuer `CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE', serial 0x7d4d42a92b431d7e6453e7c19a8d5877, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-10-12 03:49:43 UTC', expires `2027-10-12 00:00:00 UTC', pin-sha256="BbrVIhEYvvBL6FiyC7nzVKLLDU3GPYdqHWAfk0ev/80="
- Status: The certificate is trusted. 
*** Fatal error: The encryption algorithm is not supported.
```

Re: Can't connect to tls v1.0 server after update

[djaonline]

[-- Attachment #1: Type: text/plain, Size: 1813 bytes --]

New comment by djaonline on void-packages repository

https://github.com/void-linux/void-packages/issues/49793#issuecomment-2048947232

Comment:
@classabbyamp 
>then why did the issue not talk about this in the first place?!

My fault. I thought mentioning curl would be enough. Anyway thank you for your involvement.

>Anyway, gnutls supports TLSv1, your issue is not TLSv1:

Admins say they didn't change anything. Windows cisco any connect works without an issue. NetworkManager-openconnect had been working too before the update.

And the last try:). The result of `gnutls-cli  xxx`:
```
Resolving 'xxx:443'...
Connecting to 'xxx.xx.xx.xx:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=*.xxx', issuer `CN=AlphaSSL CA - SHA256 - G4,O=GlobalSign nv-sa,C=BE', serial 0x6ae640253db2cdb9a97bf8a0, RSA key 2048 bits, signed using RSA-SHA256, activated `2024-01-23 13:51:08 UTC', expires `2025-02-23 13:51:07 UTC', pin-sha256="7w+pWPzVv52jlYzzLtQykOuGeiiMjakjQ3j6dR5WWqM="
        Public Key ID:
                sha1:c588dc648e300da16345c0d7de2f0fe4fcd30834
                sha256:ef0fa958fcd5bf9da3958cf32ed43290eb867a288c8da9234378fa751e565aa3
        Public Key PIN:
                pin-sha256:7w+pWPzVv52jlYzzLtQykOuGeiiMjakjQ3j6dR5WWqM=

- Certificate[1] info:
 - subject `CN=AlphaSSL CA - SHA256 - G4,O=GlobalSign nv-sa,C=BE', issuer `CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE', serial 0x7d4d42a92b431d7e6453e7c19a8d5877, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-10-12 03:49:43 UTC', expires `2027-10-12 00:00:00 UTC', pin-sha256="BbrVIhEYvvBL6FiyC7nzVKLLDU3GPYdqHWAfk0ev/80="
- Status: The certificate is trusted. 
*** Fatal error: The encryption algorithm is not supported.
```