TLS1 error

M

Mwh65

FreeBSD 14.2

Well I took the plunge and upgraded from FreeBSD 13.4 to 14.2 and now regret it. For some reason I'm getting this error ...

Code: 
ssl23_get_server_hello:tlsv1 alert protocol version

and I can't for the life of me see why it's not working.

To confirm, my website is working but I have a Steam game that accesses a folder on my server which can no longer connect and throws the above error.

Any help with this most appreciated.
 
Yes I know. However the Steam game needs TLSv1 and it was working fine until the FreeBSD upgrade.
 
I'm wondering what kind of game needs to access a website? And it's probably your webserver that blocks the TLSv1 connection, lowest it probably does is TLSv1.2.

Is the game java based perhaps? Because I had to seriously cripple the default Java security settings to be able to access IPMI on a couple of old machines (notably had to reenable TLSv1).
 
It's a golf game that sends API data to my site but has to use TLSv1.0. It won't send the data with anything else, hence the need to allow it. Something has changed since the upgrade to 14.2 and must be related to openSSL by the sound of it. I checked make config and TLS1 is enabled.

The httpd-ssl.conf file contains ...

Code: 
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3

This is an oversight on my part.
 
Mwh65 said:
So how do I configure the OpenSSL in the base OS to allow TLSv1.0?
Click to expand...
That's a good question, according to OpenSSL itself it's still there, just not enabled. OpenSSL doesn't have some 'system' configuration file, it's the 'consumers' of OpenSSL that decide what to use.

Mwh65 said:
securityy/openssl is installed so should I remove it?
Click to expand...
You can remove it, there's probably nothing using it, so it's just sitting there doing nothing but take up space.
 
Yes they are on the same machine and adding +TLSv1 didn't work. I made sure to restart Apache after.
 
Code: 
SSLCipherSuite ALL:@SECLEVEL=1


openssl ciphers -v -s -tls1


It's better to upgrade the server to TLS1.2 and above
 
Code: 
SSLCipherSuite ALL:@SECLEVEL=1

Apache won't even start with that addition and there is nothing I can do regarding the Steam game. It is an abandoned game by the developers which was created back in 2014.
 
Yes, if I read that error message correctly it's the client (the game) being denied trying to set up a TLSv1 connection to the (web)server. It's the webserver that's denying it. On the server side I mostly deal with turning old and outdated encryption/ciphers off, not turning them back on. Anyway, besides turning TLSv1 back on, I suspect you probably also need to enable some dodgy old ciphers too. Just not sure which ones specifically.

Oh, super "quick" fix maybe, run the webserver in a 13.4-RELEASE jail. It worked on 13.4 right?
 
It's now working. In the end VladiBG pointed me in the right direction. However I had to make a slight change ...

Code: 
SSLCipherSuite ALL:@SECLEVEL=0
SSLProxyCipherSuite ALL:@SECLEVEL=0

but it did the trick.
 
You must log in or register to reply here.
Back
Top