Em 11/12/2022 07:34, Stuart Henderson escreveu:
On 2022-12-10, Alceu Rodrigues de Freitas Junior <glasswal...@yahoo.com.br>
wrote:
If I read correctly, the Mikrotik is using an SSLv3 certificate, which I
guess shouldn't be in use anymore.
There's no such thing as "an SSLv3 certificate", they are all just X.509
certs. The sslv3 refers to the type of alert, sslv3 alerts are still
used in TLS; SSLv3 itself hasn't been supported for years.
That's quite confusing. Since SSL v3 was deprecated, I assumed the
mentioned router was quite old and that's the reason it was failing with
newer versions of OpenBSD.
It doesn't necessarily use a certificate anyway, it may well be using
ADH for this. Federico, do you have a cert configured for the api-ssl
service on the routeros device, in "/ip service print"?
And now I'm even more confused, looks like I'm still can't get my head
around OpenSSL. Looking at here:
https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-STRINGS
The certificate may define the ciphers it accepts, but what does it mean
"It doesn't necessarily use a certificate anyway" and it's relation with
ADH cipher?
Em 10/12/2022 17:01, Federico Giannici escreveu:
Since I upgraded from OpenBSD 7.1 to 7.2 (amd64) I'm no longer able to
use IO::Socket::SSL perl library to connect to some devices (Mikrotik
routers, via their API).
This is the only debug info I was able to obtain:
DEBUG: .../IO/Socket/SSL.pm:842: local error: SSL connect attempt failed
error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake
failure
Maybe try connecting with openssl s_client too? That would help show if
it's a problem specific to IO::Socket::SSL or something more general.
Unfortunately it seems that both perl functions
Net::SSLeay::set_security_level() and
Net::SSLeay::CTX_set_security_level() don't work. I get the following
error. Maybe they are not implemented in our version of Net::SSLeay perl
library?
The security level stuff was only recently added to libressl, it is still
hidden behind #ifndef for libressl in p5-Net-SSLeay. I think you can set
it in the ciphers string though, if it is ADH maybe you need something like
"ADH:ALL:@SECLEVEL=0" (though in that case you would probably be better
advised to generate and use certificates instead).
I did some search and so I guess this relates to
https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-STRINGS.
Interesting that this can be set at IO::Socket::SSL but not (at least as
far as I could check) with Net::SSLeay, which is a dependency from the
former which let me understand that works at a lower level.
Finally, setting the security level to zero wouldn't increase the
chances of having issues since it allows poor options? Just checked that
in
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
My apologies if all this is too basic. Anyway good references would be
appreciated.
Thanks in advance,
Alceu
