Timeline for Error during SSL Handshake with remote server
Current License: CC BY-SA 4.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Nov 4, 2021 at 21:21 | comment | added | Piotr P. Karwasz |
I wrongly assumed Ubuntu's and Debian's openssl packages are in sync. Whereas Debian chose to add a MinProtocol default to openssl.cnf, Ubuntu chose a more drastic solution and hardcoded a minimum version of 1.2 into security level 2.
|
|
| Nov 2, 2021 at 23:13 | history | edited | Nux | CC BY-SA 4.0 |
notes
|
| Nov 2, 2021 at 23:08 | comment | added | Nux |
I checked and I have default settings for proxy protocol so SSLProxyProtocol all -SSLv3 so that would include TLS1.0. And still connecting to tls1 server didn't work from Ubuntu 20.
|
|
| Nov 2, 2021 at 22:21 | comment | added | Nux |
Well when I upgraded from Ubuntu 18 to 20 this worked out of the box. And I didn't have to change anything in my Apache conf. And also curl started to work (and before this change it reported "unsuported protocol"). So it does change supported protocol versions. But yes, you are right that the change is global.
|
|
| Nov 2, 2021 at 21:21 | comment | added | Piotr P. Karwasz |
There are a couple of problems with your solution: 1. you are not changing the protocol settings, but the list of ciphersuites (MinProtocol and MaxProtocol changes the protocols), 2. you are changing the default configuration of all software using OpenSSL, not just the settings of the proxy connection, 3. most software (including Apache2) always override these default settings. For Apache2 see the SSLProxyProtocol directive.
|
|
| Nov 2, 2021 at 20:07 | history | answered | Nux | CC BY-SA 4.0 |