OpenSSL v1.1.1 Ubuntu 20 TLSv 1-无可用协议

uujelgoq  于 2023-01-04  发布在  其他
关注(0)|答案(5)|浏览(414)

在Ubuntu 20.04中,通过VPN,我无法再访问使用TLSv 1协议的服务器。
在Ubuntu 18.04中,它可以正常工作。
首先我通过SNX连接到VPN,然后我使用一个程序访问服务器。
我用openssl做了一些测试来突出这个问题。有可能解决这个问题吗?我相信我的问题可能与https://github.com/curl/curl/issues/4097报告的相同问题有关。
我认为OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol与我的问题有关,但它是不同的,因为它没有“没有可用协议”的问题。
当我用openssl测试时,我得到错误“unsupported protocol",但是当我用openssl强制TLSv 1测试时,我得到错误“no protocols available"。
试验详情:

Ubuntu 18.04版本:

Package: openssl
-> Version: 1.1.1-1ubuntu2.1 ~ 18.04.5

openssl s_client -connect host: port
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").

openssl s_client -connect host: port -tls1
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").

openssl s_client -connect host: port -tls1_1
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:

openssl s_client -connect host: port -tls1_2
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:

Ubuntu 20.04版本:

Package: openssl
-> Version: 1.1.1f-1ubuntu2

openssl s_client -connect host: port
-> 140253162648896: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:

openssl s_client -connect host: port -tls1
-> 139722831217984: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:

openssl s_client -connect host: port -tls1_1
-> 139923839911232: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:

openssl s_client -connect host: port -tls1_2
-> 139862992581952: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:

Ubuntu 18.04 -详细连接成功

my@machine: ~ $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000005)
depth = 2 C = XX, O = XXXXXX, OU = ICP-XX, CN = AC XXXXX vX
verify error: num = 19: self signed certificate in certificate chain
---
Certificate chain
 0 s: C = XX, ST = XX, L = XXXXXX, O = XXXXXXXX, OU = XXXXXXXXXXX XXXXX, CN = xxx.com
   i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
 1 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
   i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
 2 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
   i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
---
Server certificate
----- BEGIN CERTIFICATE -----
(...)
-----END CERTIFICATE-----
subject=X = XX, ST = XX, L = XXXXXX, O = XXXXXXX, OU = XXXXXXXX, CN = mydomain.com

issuer=C = XX, O = XXXXXXXXXX, OU = ICP-XX, CN = AC XXXXXXXXXXXXXXXXXXXXX

---
No client certificate CA names sent
---
SSL handshake has read 4604 bytes and written 449 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol: TLSv1
    Cipher: AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1588445847
    Timeout: 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
---

Ubuntu 20.04 -连接失败的详细信息:

my@machine: ~ / Documents / $ openssl s_client -connect my.domain: 9023
CONNECTED (00000003)
139912319178048: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 4545 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

my@machine: ~ / Documents / study $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000003)
140581447836992: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
-
vc6uscn9

vc6uscn91#

我刚刚用-https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level解决了问题
只是引用这个链接:
您需要将以下内容添加到配置文件的开头:

openssl_conf = default_conf

然后是这样的结尾:

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

上述链接的评论称:

Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF defined to point at the location of your config file:

export OPENSSL_CONF=/path/to/my/openssl.cnf

This way you can make changes without having to impact your entire system.

我使用了第二个选项“导出OPENSSL_CONF=/path/to/my/openssl.cnf”,效果非常好!

yeotifhr

yeotifhr2#

对我有效的解决方案是创建一个openssl_tls1.cnf,其中包含:

openssl_conf = default_conf

[ default_conf ]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

然后设置OPENSSL_CONF=/path/to/openssl_tls1.cnf允许使用较低的协议进行连接,如下所示

OPENSSL_CONF=openssl_tls1.cnf wget https://foo.bar
jqjz2hbq

jqjz2hbq3#

服务器支持TLSv1,不支持TLSv1.1及更高版本
Ubuntu 20.x openssl版本不支持TLSv1及以下版本。

可能是openssl.cnf文件已更新,添加了更安全的连接默认值。这取决于操作系统和风格。
确定配置文件的位置(对于您喜欢的linux版本的openssl),并确定是否存在降低TLS版本的限制或默认设置。

尝试以下操作以查看服务器是否支持TLSv1.1及更高版本:

nmap --script ssl-enum-ciphers -p 443 your_host_name

检查输出以查看密码和相应的版本。

| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
v1uwarro

v1uwarro4#

如果你得到错误14187180像我一样,在尝试了上面的答案https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level(或其他)后,你可能想尝试--dtls-ciphers=LEGACY与openconnect.我需要降级到TLSv1.1如上所述(MinProtocol = TLSv1.1),并添加此连接到客户的思科Anyconnect VPN.

echo password | OPENSSL_CONF=/etc/ssl/openssl_tls_1_0.cnf openconnect -v -g VPNGROUP -u username --dtls-ciphers=LEGACY --passwd-on-stdin vpn.domain
sc4hvdpw

sc4hvdpw5#

对于裸openssl,直接使用密码字符串而不是设置OPENSSL_CONF可能更简单:

openssl s_client -cipher DEFAULT@SECLEVEL=1 -tls1 -connect $host:$port

相关问题