On 2024-03-04 11:16:14 [+0100], Maciej Bogucki wrote: > When I invoke `/usr/bin/openssl s_client -connect 192.168.92.95:636`
So you get no reply? That is odd. There has to be reply. A "Connected" line is something I would have expected. If there is nothing then I would assume that the port is silently blocked. … > from latest rocky linux it is ok > > [bogucki@nsd-ansible ~]$ /usr/bin/openssl s_client -connect 192.168.92.95:636 > CONNECTED(00000003) see, that line is missing. … > No client certificate CA names sent > Client Certificate Types: RSA sign, DSA sign, ECDSA sign > Requested Signature Algorithms: > RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1 > Shared Requested Signature Algorithms: > RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1 > Peer signing digest: SHA1 > Peer signature type: RSA The remote side looks limited. So from all the possibilities it decided to sign with RSA+SHA1. This is something openssl in bookworm rejects if I am not mistaken. But there has to be an error message about this. If *think* if you lower security level then it should work. Out of curiosity, what is the remote side running? Sebastian
