In Ubuntu 20.04, through a VPN, I can no longer access a server, which uses the TLSv1 protocol.
In Ubuntu 18.04, it was working.
First I connect to the VPN via SNX and then I use a program that accesses the server.
I did some tests with openssl to highlight this problem. Is it possible to solve this? I believe that my problem may have to do with the same reported at https://github.com/curl/curl/issues/4097.
I think OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol has to do with my problem, but it's different because it doesn't have the problem "no protocols available".
When I test with openssl, I get the error "unsupported protocol", but when I test with openssl forcing TLSv1 I get the error "no protocols available".
Details of the tests:
Ubuntu 18.04:
Package: openssl
-> Version: 1.1.1-1ubuntu2.1 ~ 18.04.5
openssl s_client -connect host: port
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").
openssl s_client -connect host: port -tls1
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").
openssl s_client -connect host: port -tls1_1
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:
openssl s_client -connect host: port -tls1_2
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:
Ubuntu 20.04:
Package: openssl
-> Version: 1.1.1f-1ubuntu2
openssl s_client -connect host: port
-> 140253162648896: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
openssl s_client -connect host: port -tls1
-> 139722831217984: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
openssl s_client -connect host: port -tls1_1
-> 139923839911232: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
openssl s_client -connect host: port -tls1_2
-> 139862992581952: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
Ubuntu 18.04 - Successfully detailed connection
my@machine: ~ $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000005)
depth = 2 C = XX, O = XXXXXX, OU = ICP-XX, CN = AC XXXXX vX
verify error: num = 19: self signed certificate in certificate chain
---
Certificate chain
0 s: C = XX, ST = XX, L = XXXXXX, O = XXXXXXXX, OU = XXXXXXXXXXX XXXXX, CN = xxx.com
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
1 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
2 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
---
Server certificate
----- BEGIN CERTIFICATE -----
(...)
-----END CERTIFICATE-----
subject=X = XX, ST = XX, L = XXXXXX, O = XXXXXXX, OU = XXXXXXXX, CN = mydomain.com
issuer=C = XX, O = XXXXXXXXXX, OU = ICP-XX, CN = AC XXXXXXXXXXXXXXXXXXXXX
---
No client certificate CA names sent
---
SSL handshake has read 4604 bytes and written 449 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol: TLSv1
Cipher: AES256-SHA
Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1588445847
Timeout: 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
Ubuntu 20.04 - Detailed unsuccessful connection:
my@machine: ~ / Documents / $ openssl s_client -connect my.domain: 9023
CONNECTED (00000003)
139912319178048: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 4545 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
my@machine: ~ / Documents / study $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000003)
140581447836992: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
-
I've just solved my problem with - https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
Just quoting this link:
You need to add this to the beginning of your config file:
openssl_conf = default_conf
And then this to the end:
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
The comment on the above link said:
Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF defined to point at the location of your config file:
export OPENSSL_CONF=/path/to/my/openssl.cnf
This way you can make changes without having to impact your entire system.
I used the second choice "export OPENSSL_CONF=/path/to/my/openssl.cnf" and worked perfectly!