Em 11/12/2022 07:34, Stuart Henderson escreveu:
> On 2022-12-10, Alceu Rodrigues de Freitas Junior <glasswalk3r@yahoo.com.br> wrote:
>> If I read correctly, the Mikrotik is using an SSLv3 certificate, which I
>> guess shouldn't be in use anymore.
>
> There's no such thing as "an SSLv3 certificate", they are all just X.509
> certs. The sslv3 refers to the type of alert, sslv3 alerts are still
> used in TLS; SSLv3 itself hasn't been supported for years.
That's quite confusing. Since SSL v3 was deprecated, I assumed the
mentioned router was quite old and that's the reason it was failing with
newer versions of OpenBSD.
> It doesn't necessarily use a certificate anyway, it may well be using
> ADH for this. Federico, do you have a cert configured for the api-ssl
> service on the routeros device, in "/ip service print"?
And now I'm even more confused, looks like I'm still can't get my head
around OpenSSL. Looking at here:
https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-STRINGS
The certificate may define the ciphers it accepts, but what does it mean
"It doesn't necessarily use a certificate anyway" and it's relation with
ADH cipher?
>> Em 10/12/2022 17:01, Federico Giannici escreveu:
>>> Since I upgraded from OpenBSD 7.1 to 7.2 (amd64) I'm no longer able to
>>> use IO::Socket::SSL perl library to connect to some devices (Mikrotik
>>> routers, via their API).
>>>
>>> This is the only debug info I was able to obtain:
>>>
>>> DEBUG: .../IO/Socket/SSL.pm:842: local error: SSL connect attempt failed
>>> error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake
>>> failure
>
> Maybe try connecting with openssl s_client too? That would help show if
> it's a problem specific to IO::Socket::SSL or something more general.
>
>>> Unfortunately it seems that both perl functions
>>> Net::SSLeay::set_security_level() and
>>> Net::SSLeay::CTX_set_security_level() don't work. I get the following
>>> error. Maybe they are not implemented in our version of Net::SSLeay perl
>>> library?
>
> The security level stuff was only recently added to libressl, it is still
> hidden behind #ifndef for libressl in p5-Net-SSLeay. I think you can set
> it in the ciphers string though, if it is ADH maybe you need something like
> "ADH:ALL:@SECLEVEL=0" (though in that case you would probably be better
> advised to generate and use certificates instead).
I did some search and so I guess this relates to
https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-STRINGS.
Interesting that this can be set at IO::Socket::SSL but not (at least as
far as I could check) with Net::SSLeay, which is a dependency from the
former which let me understand that works at a lower level.
Finally, setting the security level to zero wouldn't increase the
chances of having issues since it allows poor options? Just checked that
in
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
My apologies if all this is too basic. Anyway good references would be
appreciated.
Thanks in advance,
Alceu
No comments:
Post a Comment