On 24/02/17 16:15, Joseph Southwell wrote: > We upgraded from 0.9.8 to 1.0.2 and now we are seeing that message when > we try connecting to a server that previously worked. What does it mean > and how can I figure out how to work around it? I can’t get the server > to change anything and I need to be able to continue connecting to it. > > openssl s_client -connect xxxxxxx.com <http://xxxxxxx.com>:#### > -starttls ftp > > CONNECTED(00000170) > 4960:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert > insufficient security:.\ssl\s23_clnt.c:770:
That is actually quite strange. This is the server sending the OpenSSL client an alert to say that you have insufficient security in your ClientHello. Without access to the server it is quite difficult to tell why. What is strange is the default security has been increased significantly between 0.9.8 and 1.0.2. Possibly some ciphers/parameters that were previously offered are no longer offered by default in 1.0.2 - and therefore the server can't find one it likes. Rich's suggestion is a good one, but unfortunately only applies to version 1.1.0 - it won't work in 1.0.2. You might want to try compiling with the "enable-weak-ssl-ciphers" config option to see if that makes a difference. Alternatively, try and find out what connection params are used when connecting from 0.9.8. That might give you a clue as to what settings are acceptable to the server. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
