Re: Configuring OpenSSL to connect to an old server

Anton Shepelev <anton.txt@gmail.moc> wrote:

        Options = UnsafeLegacyRenegotiation
        Options = UnsafeLegacyServerConnect
 
Niether help, but both change changed to:
 
        0020E1F579080000:
        error:
        0A00014D:SSL routines:
        tls_process_key_exchange:
        legacy sigalg disallowed or unsupported:
        /usr/src/crypto/openssl/ssl/statem/statem_clnt.c:2255:
 
Also in connection with this problem, the option
SSL_OP_LEGACY_SERVER_CONNECT is mentioned. It is disabled by default
since OpenSSL 3.0, and I have 3.0.13 .  But how can I set these
OpenSSL options?

According to the SSL_CONF_cmd man page (unavaialbe on my system,
although OpenSSL is installed), the configuration-file option
UnsafeLegacyServerConnect is equivalent to
SSL_OP_LEGACY_SERVER_CONNECT:

   <https://docs.openssl.org/master/man3/SSL_CONF_cmd/#supported-configuration-file-commands>

So I /did/ follow the proposed solution, after all.  That said, how
can I determine what legacy algorithm is required, whether it is
disallowed (and therefore can be enabled) or unsupported (and a
different version of OpenSSL is required)?

There is also a solved OpenVPN issue for this error:

   <https://github.com/OpenVPN/openvpn/issues/348#issuecomment-1568546165>

The solution consists in specifying the following OpenVPN options:

   tls-cert-profile insecure
   providers legacy default
   compat-mode 2.3.0

But I fail to see how these optons may be translated to OpenSSL
configuration...