oxidized icon indicating copy to clipboard operation
oxidized copied to clipboard
verified publisher icon ytti

HTTPS: unsupported protocol [OpenSSL::SSL::SSLError]

Open marmack95 opened this issue 1 year ago • 4 comments

Hello, i have an old device which use HTTPS. With Firefox, i'm able to re-enable TLS deprecated to gain access to it. But with Oxidized: how to do ? The device redirect HTTP to HTTPS.

2024-04-26 14:25:46 UTC
SSL_connect returned=1 errno=0 peeraddr=10.1.11.54:443 state=error: unsupported protocol [OpenSSL::SSL::SSLError]
--------------------------------------------------
/usr/lib/ruby/3.0.0/net/protocol.rb:46:in `connect_nonblock'
/usr/lib/ruby/3.0.0/net/protocol.rb:46:in `ssl_socket_connect'
/usr/lib/ruby/3.0.0/net/http.rb:1038:in `connect'
/usr/lib/ruby/3.0.0/net/http.rb:970:in `do_start'
/usr/lib/ruby/3.0.0/net/http.rb:959:in `start'
/usr/lib/ruby/3.0.0/net/http.rb:621:in `start'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/input/http.rb:76:in `make_request'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/input/http.rb:57:in `get_http'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/input/http.rb:44:in `cmd_str'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/input/http.rb:35:in `cmd'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/model/model.rb:122:in `cmd'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/model/model.rb:172:in `block in get'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/model/model.rb:171:in `each'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/model/model.rb:171:in `get'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/input/cli.rb:14:in `get'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/node.rb:70:in `run_input'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/node.rb:47:in `block in run'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/node.rb:41:in `each'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/node.rb:41:in `run'
/var/lib/gems/3.0.0/gems/oxidized-0.30.1/lib/oxidized/job.rb:10:in `block in initialize'

marmack95 avatar Apr 26 '24 14:04 marmack95

I've made some tests.

My device seems use :

  • OpenSSL 0.9.8
  • Protocol : TLSv1
  • Cipher : DHE-RSA-AES256-SHA

Firefox indicate protocol TLSv1 & cipher TLS_RSA_WITH_AES_128_CBC_SHA

When i do "openssl s_client -connect 10.1.11.54:443 -cipher DHE-RSA-AES256-SHA" from:

  • centos 5 - openssl 0.9.8, it's works
  • macosx 10.13 - libresssl 2.2.7, it's works
  • ubuntu 22 - openssl 3.0.2, it's fails (my oxidized server)

So, it's not a oxidized problem, it's an openssl problem.

marmack95 avatar May 03 '24 16:05 marmack95

I found a possible solution here: https://github.com/eclipse/mosquitto/issues/2779 I tested value 1 and 0, and it's works. So the problem it's my device use a 1024 bit key... (value 2 need a key of 2048 bit )

Do you think it's possible to change configuration of openssl only for oxidized ?

marmack95 avatar May 03 '24 16:05 marmack95

I upgraded to the last version of Oxidized image docker version: it does not work anymore.

Old docker image (latest version installed in may or june) use Debian Bookworm with OpenSSL 3.0.2 15 Mar 2022 New docker image (installed this week) use Debian Trixie with OpenSSL 3.0.13 30 Jan 2024

marmack95 avatar Aug 29 '24 13:08 marmack95

I found a solution here.

I replace in /etc/ssl/openssl.cnf

[openssl_init]
providers = provider_sect

with :

[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.0
CipherString = ALL@SECLEVEL=0

"ALL@SECLEVEL=0" or "DEFAULT@SECLEVEL=0" works. You must restart docker image after.

marmack95 avatar Aug 29 '24 14:08 marmack95