On 2022-12-11, Stuart Henderson <stu.lists@spacehopper.org> wrote:
> On 2022-12-10, Alceu Rodrigues de Freitas Junior <glasswalk3r@yahoo.com.br> wrote:
>> If I read correctly, the Mikrotik is using an SSLv3 certificate, which I
>> guess shouldn't be in use anymore.
>
> There's no such thing as "an SSLv3 certificate", they are all just X.509
> certs. The sslv3 refers to the type of alert, sslv3 alerts are still
> used in TLS; SSLv3 itself hasn't been supported for years.
>
> It doesn't necessarily use a certificate anyway, it may well be using
> ADH for this. Federico, do you have a cert configured for the api-ssl
> service on the routeros device, in "/ip service print"?
>
>> Em 10/12/2022 17:01, Federico Giannici escreveu:
>>> Since I upgraded from OpenBSD 7.1 to 7.2 (amd64) I'm no longer able to
>>> use IO::Socket::SSL perl library to connect to some devices (Mikrotik
>>> routers, via their API).
>>>
>>> This is the only debug info I was able to obtain:
>>>
>>> DEBUG: .../IO/Socket/SSL.pm:842: local error: SSL connect attempt failed
>>> error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake
>>> failure
>
> Maybe try connecting with openssl s_client too? That would help show if
> it's a problem specific to IO::Socket::SSL or something more general.
>
>>> Unfortunately it seems that both perl functions
>>> Net::SSLeay::set_security_level() and
>>> Net::SSLeay::CTX_set_security_level() don't work. I get the following
>>> error. Maybe they are not implemented in our version of Net::SSLeay perl
>>> library?
>
> The security level stuff was only recently added to libressl, it is still
> hidden behind #ifndef for libressl in p5-Net-SSLeay. I think you can set
> it in the ciphers string though, if it is ADH maybe you need something like
> "ADH:ALL:@SECLEVEL=0" (though in that case you would probably be better
> advised to generate and use certificates instead).
>
Also maybe if you show the code you're running it might be easier to
make suggestions.
--
Please keep replies on the mailing list.
No comments:
Post a Comment