OpenSSL v1.1.1 Ubuntu 20 TLSv1 - no protocols available

Question

In Ubuntu 20.04, through a VPN, I can no longer access a server, which uses the TLSv1 protocol.

In Ubuntu 18.04, it was working.

First I connect to the VPN via SNX and then I use a program that accesses the server.

I did some tests with openssl to highlight this problem. Is it possible to solve this? I believe that my problem may have to do with the same reported at https://github.com/curl/curl/issues/4097.

I think OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol has to do with my problem, but it's different because it doesn't have the problem "no protocols available".

When I test with openssl, I get the error "unsupported protocol", but when I test with openssl forcing TLSv1 I get the error "no protocols available".

Details of the tests:

Ubuntu 18.04:

Package: openssl
-> Version: 1.1.1-1ubuntu2.1 ~ 18.04.5

openssl s_client -connect host: port
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").

openssl s_client -connect host: port -tls1
-> works - TLSv1 ("SSL-Session: Protocol: TLSv1.").

openssl s_client -connect host: port -tls1_1
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:

openssl s_client -connect host: port -tls1_2
-> 139786161414592: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1907:

Ubuntu 20.04:

Package: openssl
-> Version: 1.1.1f-1ubuntu2

openssl s_client -connect host: port
-> 140253162648896: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:

openssl s_client -connect host: port -tls1
-> 139722831217984: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:

openssl s_client -connect host: port -tls1_1
-> 139923839911232: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:

openssl s_client -connect host: port -tls1_2
-> 139862992581952: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:

Ubuntu 18.04 - Successfully detailed connection

my@machine: ~ $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000005)
depth = 2 C = XX, O = XXXXXX, OU = ICP-XX, CN = AC XXXXX vX
verify error: num = 19: self signed certificate in certificate chain
---
Certificate chain
 0 s: C = XX, ST = XX, L = XXXXXX, O = XXXXXXXX, OU = XXXXXXXXXXX XXXXX, CN = xxx.com
   i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
 1 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
   i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
 2 s: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
   i: C = XX, O = XXXXXXXX., OU = ICP-XX, CN = AC XXXXX vX
---
Server certificate
----- BEGIN CERTIFICATE -----
(...)
-----END CERTIFICATE-----
subject=X = XX, ST = XX, L = XXXXXX, O = XXXXXXX, OU = XXXXXXXX, CN = mydomain.com

issuer=C = XX, O = XXXXXXXXXX, OU = ICP-XX, CN = AC XXXXXXXXXXXXXXXXXXXXX

---
No client certificate CA names sent
---
SSL handshake has read 4604 bytes and written 449 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol: TLSv1
    Cipher: AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1588445847
    Timeout: 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
---

Ubuntu 20.04 - Detailed unsuccessful connection:

my@machine: ~ / Documents / $ openssl s_client -connect my.domain: 9023
CONNECTED (00000003)
139912319178048: error: 1425F102: SSL routines: ssl_choose_client_version: unsupported protocol: ../ ssl / statem / statem_lib.c: 1941:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 4545 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

my@machine: ~ / Documents / study $ openssl s_client -connect my.domain: 9023 -tls1
CONNECTED (00000003)
140581447836992: error: 141E70BF: SSL routines: tls_construct_client_hello: no protocols available: ../ ssl / statem / statem_clnt.c: 1112:
-

Answer 1

I've just solved my problem with - https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

Just quoting this link:

You need to add this to the beginning of your config file:

openssl_conf = default_conf

And then this to the end:

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

The comment on the above link said:

Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF defined to point at the location of your config file:

export OPENSSL_CONF=/path/to/my/openssl.cnf

This way you can make changes without having to impact your entire system.

I used the second choice "export OPENSSL_CONF=/path/to/my/openssl.cnf" and worked perfectly!

Answer 2

The solution that worked for me was to create an openssl_tls1.cnf containing:

openssl_conf = default_conf

[ default_conf ]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

Then setting OPENSSL_CONF=/path/to/openssl_tls1.cnf allows connecting with the lower protocol, as in

OPENSSL_CONF=openssl_tls1.cnf wget https://foo.bar

Answer 3

Server supports TLSv1 and not TLSv1.1 and above

Ubuntu 20.x openssl version does not support TLSv1 and below.

It could be that the openssl.cnf file has been updated to add a more secure connection defaults. It depends on the OS and the flavor.

Determine the location of the configuration file (for openssl for your flavor of linux) and figure out if there are any restrictions on lowering the TLS versions or what it is setup to by default.

Try the following to see if the server supports TLSv1.1 and above:

 nmap --script ssl-enum-ciphers -p 443 your_host_name

Check the output to see the ciphers and the corresponding versions.

| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong

Answer 4

If you get error 14187180 like I did after trying the above answer https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level (or otherwise) you might like to try the --dtls-ciphers=LEGACY with openconnect. I needed to both downgrade to TLSv1.1 as above (MinProtocol = TLSv1.1) and add this to connect to a customer's Cisco Anyconnect VPN.

echo password | OPENSSL_CONF=/etc/ssl/openssl_tls_1_0.cnf openconnect -v -g VPNGROUP -u username --dtls-ciphers=LEGACY --passwd-on-stdin vpn.domain

Answer 5

For bare openssl, it might be simpler to use the cipher string directly instead of setting OPENSSL_CONF:

openssl s_client -cipher DEFAULT@SECLEVEL=1 -tls1 -connect $host:$port