On Tue, Apr 14, 2020 at 11:58:05AM +0200, Per olof Ljungmark wrote: > Hello, > > After upgrading our Nagios host, I can no longer get status from our older > HP servers with iLO3. > > Using a perl script, check_ilo2_health.pl, this stopped working due to lack > of support of older ciphers in base openssl. > > So far, I installed openssl from ports and enabled the weak ciphers, > adjusted /etc/make.conf for DEFAULT_VERSIONS+= ssl=openssl, have rebuilt > perl and perl modules, curl and a few more. > > Still, I get > > curl -v --insecure --tlsv1.1 -v https://<iLO3 IP> > * Trying <iLO3 IP>:443... > * Connected to <iLO3 IP> port 443 (#0) > * ALPN, offering http/1.1 > * successfully set certificate verify locations: > * CAfile: /usr/local/share/certs/ca-root-nss.crt > CApath: none > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * TLSv1.3 (IN), TLS alert, handshake failure (552): > * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure > * Closing connection 0 > curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake > failure > > I am at loss right now on how I could teach the FBSD-12 system to use the > older ciphers, it still works fine from 11.
Ok, so, let me tell you how I handled something similar a couple of months back with some ruby scripts that needed to talk to an old appliance with an old ssl but where ssl was mandatory. I installed openssl-unsafe (which is a 1.0.2-something with everything enabled) and I locally rebuilt every bits that needed that old SSL. This included installing RVM to build a local ruby, and use that ruby to build the bits those scripts needed... Now it works, and that machine has a "do not touch" sign. ^^ -- Mathieu Arnold
signature.asc
Description: PGP signature