Re: Question about handshake error

On Wed, Mar 11, 2020 at 06:06:44PM +, Matt Caswell wrote: > > if (!ssl_security_cert_sig(s, ctx, x, SSL_SECOP_CA_MD | vfy)) > > return SSL_R_CA_MD_TOO_WEAK; > > return 1; > > } > > The exclusion comes in ssl_security_cert_sig - so I think OpenSSL > behaves corr

Re: Question about handshake error

On 11/03/2020 15:31, Viktor Dukhovni wrote: > On Wed, Mar 11, 2020 at 03:12:26PM +, Matt Caswell wrote: > >>> The signature algorithm security level is not expected to be enforced >>> on self-signed certificates (root CAs). How is it happening here? >> >> It isn't. In this case the client

Re: Question about handshake error

On 11/03/2020 17:08, Niki Dinsey wrote: > As for going back to the software vendor, I absolutely want to but don't > hold out too much hope they will change anything.  > I'm basically going to say this: > > The certificate chain contains two redundant root certificates, these > should be remove

Re: Question about handshake error

Thanks Matt for your reply earlier, following your advice I've edited the following line in my openssl.cnf file: CipherString = DEFAULT@SECLEVEL=1 and it now works in s_client and curl: niks@DESKTOP-O2VP5O2:/etc/ssl$ curl https://thankqcrm.accessacloud.com/ /?X-apikey= {"Status":"OK","PageIndex"

Re: Question about handshake error

On Wed, Mar 11, 2020 at 04:57:42PM +, Matt Caswell wrote: > > Matt are you able to confirm whether the below is correct? Perhaps > > I should file a PR to address this if it is... > > I will run some tests to confirm or deny what you think might be > happening. Probably it will be tomorrow b

Re: Question about handshake error

On 11/03/2020 16:56, Viktor Dukhovni wrote: > On Wed, Mar 11, 2020 at 03:12:26PM +, Matt Caswell wrote: > >>> The signature algorithm security level is not expected to be enforced >>> on self-signed certificates (root CAs). How is it happening here? >> >> It isn't. In this case the client

Re: Question about handshake error

On Wed, Mar 11, 2020 at 03:12:26PM +, Matt Caswell wrote: > > The signature algorithm security level is not expected to be enforced > > on self-signed certificates (root CAs). How is it happening here? > > It isn't. In this case the client is openssl but the server is unknown. > The problem

Re: Question about handshake error

On Wed, Mar 11, 2020 at 11:31:51AM -0400, Viktor Dukhovni wrote: > I think the server could be OpenSSL, because why I made sure that s/why/while/. > self-signed CA signatures are not subjected to security levels in > x509_vfy.c, the same exclusion does not appear to be present in: > > int s

Re: Question about handshake error

On Wed, Mar 11, 2020 at 03:12:26PM +, Matt Caswell wrote: > > The signature algorithm security level is not expected to be enforced > > on self-signed certificates (root CAs). How is it happening here? > > It isn't. In this case the client is openssl but the server is unknown. > The problem

Re: Question about handshake error

On 11/03/2020 15:08, Viktor Dukhovni wrote: > On Wed, Mar 11, 2020 at 12:15:32PM +, Matt Caswell wrote: > >> I would recommend that the server operator removes both copies of the >> root cert from its cert chain. Hopefully this should then mean that it >> does not see the SHA1 root and will

Re: Question about handshake error

On Wed, Mar 11, 2020 at 12:15:32PM +, Matt Caswell wrote: > I would recommend that the server operator removes both copies of the > root cert from its cert chain. Hopefully this should then mean that it > does not see the SHA1 root and will therefore continue the handshake. If > you can't get

Re: Question about handshake error

On Wed, Mar 11, 2020 at 12:15:32PM +, Matt Caswell wrote: > > Debian 10 omits all the SHA1 entries from the above list. Note that > Debian 10 will only allow SHA1 if the security level is explicitly set > to 0 (via the -cipher "DEFAULT:@SECLEVEL=0" command line arg). Probably > because the deb

Re: Question about handshake error

On Wed, Mar 11, 2020 at 12:15:32PM +, Matt Caswell wrote: > > I *think* what is happening is the server is checking the chain it has > been configured with, spotting that it includes a SHA1 based signature > and therefore refusing to respond at all because the client has not > indicated SHA1 s

Re: Question about handshake error

On 11/03/2020 08:56, Niki Dinsey wrote: > openssl s_client -connect thankqcrm.accessacloud.com:443 > > > * Debian 10 + 1.1.1d - Handshake Error   > * Debian 9 + 1.1.0l - Working > * Ubuntu 18.04 + 1.1.1  11 Sep 2018 -Working > * Ubuntu 19.10 + 1.1.1c  28

Re: Question about handshake error

I'm lost. Again, thanks for your replies and help. Niki On Tue, 10 Mar 2020 at 18:03, Sergio NNX wrote: > It seems to work fine here! > > > > > > > > > > > -- > *From:* openssl-users on behalf of > Matt Caswell >

Re: Question about handshake error

: Re: Question about handshake error On 10/03/2020 17:05, Niki Dinsey wrote: > Hi there, I have an issue I can't seem to work out the answer to. > > Server: thankqcrm.accessacloud.com <http://thankqcrm.accessacloud.com> > > root@willis:~# openssl version > OpenSSL 1.1.

Re: Question about handshake error

On 10/03/2020 17:05, Niki Dinsey wrote: > Hi there, I have an issue I can't seem to work out the answer to. > > Server: thankqcrm.accessacloud.com > > root@willis:~# openssl version > OpenSSL 1.1.1d  10 Sep 2019 > root@willis:~# openssl s_client -connect tha

Question about handshake error

Hi there, I have an issue I can't seem to work out the answer to. Server: thankqcrm.accessacloud.com root@willis:~# openssl version OpenSSL 1.1.1d 10 Sep 2019 root@willis:~# openssl s_client -connect thankqcrm.accessacloud.com:443 CONNECTED(0004) 140151269360768:error:14094410:SSL routines:s