Saturday, December 10, 2022

Re: Problems with IO::Socket::SSL since upgraded to 7.2

If I read correctly, the Mikrotik is using an SSLv3 certificate, which I
guess shouldn't be in use anymore.

My suggestion is to use local::lib to install older versions of
IO::Socket::SSL and all other required dependencies, but since those
will depend on older C libraries as well, it might be you will have far
more problems to downgrade everything than setting up a VM with an older
version of OpenBSD that you know is compatible.

It might be a bug as well. You might want to reach out for the module
maintainer.

Em 10/12/2022 17:01, Federico Giannici escreveu:
> Since I upgraded from OpenBSD 7.1 to 7.2 (amd64) I'm no longer able to
> use IO::Socket::SSL perl library to connect to some devices (Mikrotik
> routers, via their API).
>
> This is the only debug info I was able to obtain:
>
> DEBUG: .../IO/Socket/SSL.pm:842: local error: SSL connect attempt failed
> error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake
> failure
> DEBUG: .../IO/Socket/SSL.pm:845: fatal SSL error: SSL connect attempt
> failed error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert
> handshake failure
> DEBUG: ...nbsd/IO/Socket.pm:48: ignoring less severe local error
> 'IO::Socket::IP configuration failed', keep 'SSL connect attempt failed
> error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake
> failure'
>
>
> Since I cannot change the SSL protocol used by the Mikrotik devices, I
> suspect that the only solution is to set the SSL "security_level" to 0
> in my perl script.
>
> Unfortunately it seems that both perl functions
> Net::SSLeay::set_security_level() and
> Net::SSLeay::CTX_set_security_level() don't work. I get the following
> error. Maybe they are not implemented in our version of Net::SSLeay perl
> library?
>
> Can't locate auto/Net/SSLeay/set_securit.al in @INC (@INC contains:
> /usr/local/libdata/perl5/site_perl/amd64-openbsd
> /usr/local/libdata/perl5/site_perl /usr/libdata/perl5/amd64-openbsd
> /usr/libdata/perl5) at
> /usr/local/libdata/perl5/site_perl/IO/Socket/SSL.pm line 741.
>
>
>
> So, as an extreme solution I tried to set the SECLEVEL=0 at a global
> level in the server, following the instructions I found here, but it
> didn't worked either:
>
> https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)