10

I installed Ubuntu 20 on my VPS. This is why I'm trying to do:

curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice
[1] 438975
root@vps:/var/www/html/tportal# *   Trying 195.29.166.100:443...
* TCP_NODELAY set
* Connected to imenik.tportal.hr (195.29.166.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

But when I try like this, it kinda works

curl -v http://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice
[1] 438977
root@vps:/var/www/html/tportal# *   Trying 195.29.166.100:80...
* TCP_NODELAY set
* Connected to imenik.tportal.hr (195.29.166.100) port 80 (#0)
> GET /show?action=pretraga HTTP/1.1
> Host: imenik.tportal.hr
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 16 Jun 2020 07:44:32 GMT
< Server: Apache/2.2.3 (CentOS)
< Location: https://imenik.tportal.hr/show?action=pretraga
< Content-Length: 336
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://imenik.tportal.hr/show?action=pretraga">here</a>.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at imenik.tportal.hr Port 80</address>
</body></html>
* Closing connection 0

I can't find a solution to this SSL problem

Misko Mali
  • 203
  • 1
  • 2
  • 7

2 Answers2

15

The Website uses the old TLS protocol version 1.0, which has been disabled by default since Ubuntu 20.04.

To temporarily override the default for your curl command, you can create a config file somewhere (e.g. ~/.openssl_allow_tls1.0.cnf with following content:

openssl_conf = openssl_init

[openssl_init] ssl_conf = ssl_sect

[ssl_sect] system_default = system_default_sect

[system_default_sect] CipherString = DEFAULT@SECLEVEL=1

Then run your command like this:

OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice

(this will only set OPENSSL_CONF for that single command)

or

export OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf
curl -v https://imenik.tportal.hr/show?action=pretraga&type=bijeleStranice

(this will only set OPENSSL_CONF for the current session or script)

You could also set it globally in /etc/ssl/openssl.cnf, but it has been disabled for good reasons and I would only override that when necessary.

(via)

pLumo
  • 26,947
  • This fixed the problem :) Thank you very much. If I want to go back to original configuration, I should do this: export OPENSSL_CONF= /etc/ssl/openssl.cnf ? – Misko Mali Jun 16 '20 at 09:06
  • 1
    You don't need to do anything, the environment variable is only valid until you close the terminal or to the end of the script. But, if you still want to change back in the current session, you can just run export OPENSSL_CONF= (set blank). Or just use the first command in my answer, setting the env var in the same line as the curl command, then it is only valid for that single command. – pLumo Jun 16 '20 at 09:12
  • Great. One last question, how do I set it globally in /etc/ssl/openssl.cnf since I need it for longer period of time? I did it like this [ system_default_sect ] CipherString = DEFAULT@SECLEVEL=1

    but it's not working

    – Misko Mali Jun 16 '20 at 09:21
  • 1
    I would say you can just add the whole thing at the end (not tested). But can't you just run export OPENSSL_CONF=~/.openssl_allow_tls1.0.cnf whenever you need it? – pLumo Jun 16 '20 at 09:28
  • That is actually good idea, I'll try it. Thank you very much – Misko Mali Jun 16 '20 at 09:35
4

Edit the openssl.conf file:

sudo nano /etc/ssl/openssl.cnf

Add this line at the top:

openssl_conf = openssl_init

And add these lines at the end:

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect] system_default = system_default_sect

[system_default_sect] CipherString = DEFAULT@SECLEVEL=1

It works for me. :)

For the Laravel, also run

sudo service php7.4-fpm restart
WHY
  • 341
  • 2
  • 5
  • This also works if you have an Apache 2.4.41 with https proxy to an old server (e.g. Apache 2.2). No changes in Apache needed after upgrade to Ubunto 20. Just this openssl.cnf change and reboot. – Nux Nov 02 '21 at 19:46