I am unable to connect with Mystic and SBBS binkps nodes. I see a couple errors like this..
verify error:num=66:EE certificate key too weak
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
Is there a way I can lower the requirements of the certificate key or?
Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0" onto your openssl command.
Not sure this is the best place to discuss BINKD SSL tunneling,
but the issue is likely that it requires a 2048 or higher bit key
instead of 1024.
Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0"
onto your openssl command.
It might be -cipher "ALL:@SECLEVEL=0" or maybe 1. Basically you need
to step down the security level setting to 1 I think because it now defaults to 2 which is a higher key bit.
I don't really know how the command line openssl stuff works
I am unable to connect with Mystic and SBBS binkps nodes. I see
a couple errors like this..
verify error:num=66:EE certificate key too weak
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
Is there a way I can lower the requirements of the certificate
key or?
Not sure this is the best place to discuss BINKD SSL tunneling, but
the issue is likely that it requires a 2048 or higher bit key instead
of 1024.
Try adding -cipher "ADH:@SECLEVEL=1" or -cipher "ADH:@SECLEVEL=0"
onto your openssl command.
This has nothing to do with binkd ssl "tunneling". Is Mystic (and
binkit) using a weak certificate by default? Nobody uses 1024 bit keys anymore.
On Mon, 2 Mar 2020 02:09:11 +0700
"g00r00 -> Al" <0@108.1.21> wrote:
I am unable to connect with Mystic and SBBS binkps nodes. I see
a couple errors like this..
verify error:num=66:EE certificate key too weak
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
Is there a way I can lower the requirements of the certificate
key or?
Not sure this is the best place to discuss BINKD SSL tunneling,
but the issue is likely that it requires a 2048 or higher bit
key instead of 1024.
Try adding -cipher "ADH:@SECLEVEL=1" or -cipher
"ADH:@SECLEVEL=0" onto your openssl command.
This has nothing to do with binkd ssl "tunneling". Is Mystic (and
binkit) using a weak certificate by default? Nobody uses 1024 bit
keys anymore.
This has nothing to do with binkd ssl "tunneling". Is Mystic
(and binkit) using a weak certificate by default? Nobody uses
1024 bit keys anymore.
Gee, I instantly knew the issue, explained it to Al and gave him a
command line to get it working. Its almost like I'm not wrong and I understand what is going on.
Any ideas what options I need to pass openssl s_client to get it to connect?
openssl s_client -connect bbs.castlerockbbs.com:24553
...deon
Now that I'm running Mystic A46, I'm trying to get a tunneled binkps session between my pi and mystic. I keep running into problems when
using the
following: "openssl s_client -quiet -cipher ALL:@SECLEVEL=1 -alpn
binkp -connect"
After the -connect *H:*I might solve the problem. Here is the node line
I was using to poll hub 4.
node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher ALL@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 XXXXXXXX c
node 21:4/100@fsxnet -pipe "openssl s_client -quiet -alpn binkp -cipher
ALL@SECLEVEL=1 -connect *H:*I" bbs.castlerockbbs.com:24553 XXXXXXXX c
This didn't seem to make a difference when I reenabled the security settings in my /etc/ssl/openssl.cnf.
openssl s_client -connect bbs.castlerockbbs.com:24553
...deon
After poking around, even doing this test gives me the same result:
openssl s_client -connect bbs.eggy.cc:24553
CONNECTED(00000003)
3069566992:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:
Then I tried on my linux desktop and my desktop is able to connect..
After some further research.. I looked into /etc/ssl/opensl.cnf on my
pi, it has this at the bottom:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
if I comment this out, it works.
I would think using -cipher ALL:@SECLEVEL=1 would override this, but I guess its not working..
Looks to be a security setting in ssl on my raspberry pi.
Sysop: | Eric Oulashin |
---|---|
Location: | Beaverton, Oregon, USA |
Users: | 97 |
Nodes: | 16 (0 / 16) |
Uptime: | 01:51:08 |
Calls: | 4,614 |
Calls today: | 8 |
Files: | 8,491 |
Messages: | 349,822 |
Posted today: | 4 |