How to configure curl (openssl) in order to make it work with custom engine and TLSv1.0

Question

I've successfully added a custom engine to my OpenSSL configuration like this:

openssl_conf = openssl_def # at the beginning of the config file
[openssl_def] # at the end
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
dynamic_path = /usr/lib/aarch64-linux-gnu/engines-1.1/gost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

It seems to work but when I try

curl -v https://lk.egrz.ru

I get the following error:

*   Trying 82.202.190.159:443...
* TCP_NODELAY set
* Connected to lk.egrz.ru (82.202.190.159) port 443 (#0)
GOST engine already loaded
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

However, when I try the command above on an old Centos everything seems to work correctly:

*   Trying 82.202.190.159:443...
* TCP_NODELAY set
* Connected to lk.egrz.ru (82.202.190.159) port 443 (#0)
GOST engine already loaded
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

The difference is that I get the error only on an Ubuntu 20.04 LTS machine

I did research and found out that TLSv1.0 is no longer supported.

As suggested in this question When I try to CURL a website I get SSL error, the solution is to add the following to the openssl.cnf

openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

I've added the snippet above to the config too, alongside with declaring the custom engine, but it didn't solve the problem.

Could anyone please suggest how to properly configure the openssl.cnf file in order to define both the custom engine and TLSv1.0 support? Is it possible at all?

Thanks in advance

score 0 · Answer 1 · answered Dec 16 '22 at 23:09

0

If only is to work OK with curl, you can configure your own options with a file in $HOME/.curlrc

https://everything.curl.dev/cmdline/configfile

Example:

root@xxxx:/home/xxxx# cat ~/.curlrc 
insecure
ciphers DEFAULT:!DH
#ciphers AES256-SHA

answered Dec 16 '22 at 23:09

gdeleon

1

How to configure curl (openssl) in order to make it work with custom engine and TLSv1.0

1 Answers1