OpenSSL v1.1.1 Ubuntu 20 TLSv1 - no protocols available

前端未结

关注

 3  862

野性不改

In Ubuntu 20.04, through a VPN, I can no longer access a server, which uses the TLSv1 protocol.

In Ubuntu 18.04, it was working.

First I connect to the VPN v

相关标签:

3条回答

执念已碎

2020-12-16 06:59
If you get error 14187180 like I did after trying the above answer https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level (or otherwise) you might like to try the --dtls-ciphers=LEGACY with openconnect. I needed to both downgrade to TLSv1.1 as above (MinProtocol = TLSv1.1) and add this to connect to a customer's Cisco Anyconnect VPN.
```
echo password | OPENSSL_CONF=/etc/ssl/openssl_tls_1_0.cnf openconnect -v -g VPNGROUP -u username --dtls-ciphers=LEGACY --passwd-on-stdin vpn.domain
```
0 讨论(0)
发布评论:

提交评论
- 加载中...

别那么骄傲

2020-12-16 07:15

I've just solved my problem with - https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

Just quoting this link:

You need to add this to the beginning of your config file:

openssl_conf = default_conf

And then this to the end:

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

The comment on the above link said:

Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF defined to point at the location of your config file:

export OPENSSL_CONF=/path/to/my/openssl.cnf

This way you can make changes without having to impact your entire system.

I used the second choice "export OPENSSL_CONF=/path/to/my/openssl.cnf" and worked perfectly!

0 讨论(0)

梦谈多话

2020-12-16 07:16
Server supports TLSv1 and not TLSv1.1 and above

Ubuntu 20.x openssl version does not support TLSv1 and below.

It could be that the openssl.cnf file has been updated to add a more secure connection defaults. It depends on the OS and the flavor.

Determine the location of the configuration file (for openssl for your flavor of linux) and figure out if there are any restrictions on lowering the TLS versions or what it is setup to by default.

Try the following to see if the server supports TLSv1.1 and above:
```
 nmap --script ssl-enum-ciphers -p 443 your_host_name
```
Check the output to see the ciphers and the corresponding versions.
```
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
```
0 讨论(0)
发布评论:

提交评论
- 加载中...