in reply to Re: Internal SSL error after Ubuntu update
in thread Internal SSL error after Ubuntu update

Purely a guess, but in your shoes I would check which TLS versions the LDAP server supports and which versions your upgraded client permits. There could well be a mismatch there (although, in that case I would hope for a better error message than state_machine:internal error).

No ldap client installed on both machines, so I use openssl to see if I can connect:

>openssl s_client -connect ldap.company.de:389 -starttls ldap CONNECTED(00000003) 140557505041728:error:1425F102:SSL routines:ssl_choose_client_version: +unsupported protocol:../ssl/statem/statem_lib.c:1941: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 93 bytes and written 346 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- >

On the working machine:

>openssl s_client -connect ldap.company.de:389 -starttls ldap CONNECTED(00000005) depth=0 C = DE, L = City, O = company GmbH, CN = *.company.de, emailAd +dress = system@company.de verify error:num=18:self signed certificate verify return:1 depth=0 C = DE, L = City, O = company GmbH, CN = *.company.de, emailAd +dress = system@company.de verify return:1 --- Certificate chain 0 s:C = DE, L = City, O = company GmbH, CN = *.company.de, emailAddre +ss = system@company.de i:C = DE, L = City, O = company GmbH, CN = *.company.de, emailAddre +ss = system@company.de --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=C = DE, L = City, O = company GmbH, CN = *.company.de, emailAd +dress = system@company.de issuer=C = DE, L = City, O = company GmbH, CN = *.company.de, emailAdd +ress = system@company.de --- No client certificate CA names sent --- SSL handshake has read 945 bytes and written 563 bytes Verification error: self signed certificate --- New, SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : AES256-SHA Session-ID: 3F6E48D0... Session-ID-ctx: Master-Key: 02158253D6C... PSK identity: None PSK identity hint: None SRP username: None Start Time: 1611324515 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: no ---

This starts to look more and more like an SSL issue. I don't understand why s_client gets SSL routines:ssl_choose_client_version:unsupported protocol, while perl gets SSL routines:state_machine:internal error.

I've compared the output of openssl ciphers -v on both machines, it's identical:

>openssl ciphers -v TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Ma +c=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/ +POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Ma +c=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM( +256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256 +) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) +Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA2 +0/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/P +OLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POL +Y1305(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM( +128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128 +) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) +Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) M +ac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac= +SHA384 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac= +SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) M +ac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac= +SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac= +SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=S +HA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SH +A1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SH +A1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=S +HA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SH +A1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SH +A1 RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) +Mac=AEAD DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) +Mac=AEAD RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POL +Y1305(256) Mac=AEAD DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POL +Y1305(256) Mac=AEAD ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/P +OLY1305(256) Mac=AEAD AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Ma +c=AEAD PSK-AES256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Ma +c=AEAD PSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1 +305(256) Mac=AEAD RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) +Mac=AEAD DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) +Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Ma +c=AEAD PSK-AES128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Ma +c=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac= +SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac= +SHA256 ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Ma +c=SHA384 ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=S +HA1 SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SH +A1 SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SH +A1 RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(256) Mac= +SHA384 DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) Mac= +SHA384 RSA-PSK-AES256-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SH +A1 DHE-PSK-AES256-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SH +A1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SH +A1 PSK-AES256-CBC-SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SH +A384 PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SH +A1 ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Ma +c=SHA256 ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=S +HA1 SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SH +A1 SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SH +A1 RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(128) Mac= +SHA256 DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) Mac= +SHA256 RSA-PSK-AES128-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SH +A1 DHE-PSK-AES128-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SH +A1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SH +A1 PSK-AES128-CBC-SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SH +A256 PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SH +A1 >

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Replies are listed 'Best First'.
Re^3: Internal SSL error after Ubuntu update
by hippo (Chancellor) on Jan 22, 2021 at 14:26 UTC
    ssl_choose_client_version:unsupported protocol

    That does suggest to me that the newest protocol version supported by the server is older than the oldest protocol permitted by the upgraded client. Given that your working client shows a negotiated TLSv1.1 that's probably the highest/newest supported by the server.

    Update: check the MinProtocol setting in the openssl config of your upgraded machine. You may have to configure it downwards towards TLSv1.1 to permit the connection.


    🦛

      ssl_choose_client_version:unsupported protocol

      That does suggest to me that the newest protocol version supported by the server is older than the oldest protocol permitted by the upgraded client. Given that your working client shows a negotiated TLSv1.1 that's probably the highest/newest supported by the server.

      Very likely. The LDAP server is ancient, the last update must have been in 2011. Replacement is planned, but for now, we have to work with that old installation.

      check the MinProtocol setting in the openssl config of your upgraded machine. You may have to configure it downwards towards TLSv1.1 to permit the connection.

      Following https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level, I modified the openssl configuration to allow TLS v1.1. openssl sclient is now able to connect.

      Perl still gets the same old error:

      SSL connect attempt failed error:14161044:SSL routines:state_machine:internal error

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

        I think you will have to look at setting SSL_version in the IO::Socket::SSL constructor (or a higher-level module which passes it through) at that rate.


        🦛