2

I'm trying to build OpenCog from here and when I issue this command 

octool -rdcpav -l default

It builds everything but it then gets to the step of installing Link-Grammar and this happens

[octool] Installing Link-Grammar....
--2020-06-13 10:09:36--  http://www.abisource.com/downloads/link-grammar/current/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.abisource.com/downloads/link-grammar/current/ [following]
--2020-06-13 10:09:37--  https://www.abisource.com/downloads/link-grammar/current/
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Unable to establish SSL connection.

I'm on ubuntu 20.04 LTS

Omar Khalid
  • 324
  • 1
  • 3
  • 15

1 Answers1

20

www.abisource.com supports only TLS version 1.0, which is now broken (or at least weakened) and way obsolete. According to its headers it is Apache 2.2.15 (Fedora) which dates from 2010!

This therefore appears to be the same problem as OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol except Ubuntu instead of Debian and wget (used by octool) instead of openvpn. Try the accepted anser there: edit /etc/ssl/openssl.cnf under [system_default_sect] to downgrade MinProtocol=TLSv1 and possibly CipherString=DEFAULT:@SECLEVEL=1 -- the server's DHE key is 1k, and I don't recall if that works at level 2, although its cert is absurdly RSA 4k!

UPDATE: Okay, I downloaded and installed Ubuntu 20.04 including source for libssl1.1 and looked at it, and they did NOT keep the Debian approach here, they changed it. Specifically, they didn't change the openssl.cnf file to require TLSv1.2, instead they compiled OpenSSL/libssl to make the default SECLEVEL 2 and to have SECLEVEL 2 force TLSv1.2 (which it doesn't upstream).

However, you can still fix it by adding the desired (weak) configuration to openssl.cnf:

  • somewhere in the default section, i.e. before the first line beginning with [, add a line

    openssl_conf = openssl_configuration

    I like putting it at the very top, but that's just me.

  • technically at any section boundary, but much-easiest at the end, add three new sections:

    [openssl_configuration]
ssl_conf = ssl_configuration
[ssl_configuration]
system_default = tls_system_default
[tls_system_default]
CipherString = DEFAULT:@SECLEVEL=1

Note that since MinProtocol wasn't already there you don't need to add it (the code default is okay) but you can if you want.

Now it works:

$ wget https://www.abisource.com/
--2020-06-20 05:11:11--  https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html’

index.html          100%[===================>]   7.51K  --.-KB/s    in 0.002s

2020-06-20 05:11:12 (3.90 MB/s) - ‘index.html’ saved [7687/7687]

This is, as you commented, a global change. You can change it for this specific operation by editting your copy of octool to add the option --ciphers=DEFAULT:@SECLEVEL=1 to the wget command(s). With the original openssl.cnf:

$ wget --ciphers=DEFAULT:@SECLEVEL=1 https://www.abisource.com/
--2020-06-20 05:15:21--  https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html.1’

index.html.1        100%[===================>]   7.51K  --.-KB/s    in 0s

2020-06-20 05:15:22 (330 MB/s) - ‘index.html.1’ saved [7687/7687]
dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • yes I found that answer, but I didn't find the section [system_default_sect] in ```/etc/ssl/openssl.cnf```. Could I just write it and write the MinProtocol and CipherString things? – Omar Khalid Jun 13 '20 at 13:42
  • Based on https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 I assume SECLEVEL=2 prohibits 1024-bit DHE keys. Also change of global configuration file unfortunately lowers the security of the whole box, just for one connection. This should really be last resort. – Patrick Mevzek Jun 13 '20 at 22:09
  • 1
    If the section isn't already there it shouldn't be causing/affecting this issue and so shouldn't need to change. You could strace wget (by itself) to confirm what config it's using. I'll try to set up a new VM and check if I have time in the next few days. – dave_thompson_085 Jun 17 '20 at 06:03
  • 2
    @PatrickMevzek: see edit (if you weren't automatically notified). Cheer. – dave_thompson_085 Jun 20 '20 at 05:20
  • so, we have one connection to SQL database and another to an api. with the default `DEFAULT:@SECLEVEL=2` the api works but the DB fails. if I switch to `DEFAULT:@SECLEVEL=1` the DB works and API fails. how to get both working? – TecHunter Nov 30 '20 at 18:23
  • 1
    @TecHunter: if at least one allows you to configure the cipherstring, use that; IME SQL drivers usually don't, but sw that connects to some kind of API varies enormously. Otherwise if both use the standard config logic, make two config files and use envvar OPENSSL_CONF to point to at least the nonstandard one. If that doesn't work you're probably out of luck unless you can patch at least one of your things, or move at least one to another system (maybe a virtual one). – dave_thompson_085 Dec 02 '20 at 16:24
  • @dave_thompson_085 thanks, in fact we can't figure out why we connect through openssl to SQL Server since we told it `encrypt false`. upgrading the server seems like the fastest way – TecHunter Dec 03 '20 at 08:36