search

theinvisible / openfortigui

VPN-GUI to connect to Fortigate-Hardware, based on openfortivpn
https://hadler.me/linux/openfortigui/
GNU General Public License v3.0
489 stars 54 forks source link

SSL routines:ssl_choose_client_version:unsupported protocol #114

Closed MiltonLai closed 4 years ago

MiltonLai commented 4 years ago

I installed the dev version(openfortigui_99.9.1057-1_amd64_focal.deb) in a newly installed Ubuntu20.04 and got the following errors when trying to connect to the server:

DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
ERROR:  SSL_connect: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
You might want to try --insecure-ssl or specify a different --cipher-list

If I check the "Insecure SSL" option, then the error becomes

DEBUG:  Setting min proto version to: 0x301
ERROR:  SSL_connect: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
You might want to try --insecure-ssl or specify a different --cipher-list

I googled and found this may be related with the OpenSSL version(link), but I didn't find where to set the MinProtocol option 

$ openssl version
OpenSSL 1.1.1f  31 Mar 2020

The vpn server is maintained by other company so server upgrade is not an option, is there any way to make openfortigui work with old SSL version?

Thanks!

MiltonLai commented 4 years ago

I have solved this problem according to this post https://blog.surgut.co.uk/2019/08/how-to-disable-tls-10-and-tls-11-on.html The change is (for Ubuntu 20.04 only, I didn't test it in other distribution): Edit /etc/ssl/openssl.cnf , find this line

oid_section             = new_oids

Add the following lines right below the above line

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.1
CipherString = DEFAULT@SECLEVEL=1

This won't make any change to the output of openssl version -a, but the error error:1425F102:SSL no long shows. In my case I also need to uncheck the "Insecure SSL" option.

theinvisible commented 4 years ago

Thanks, will close this issue now.

MiltonLai commented 4 years ago

This solution doesn't work on 0.9.0-3_amd64_focal.

I installed 0.9.0-3 today in a newly installed Ubuntu20.04, I got the same protocol issue, but this time I tried all methods with no luck. The connections always failed with "1425F102:SSL routines:ssl_choose_client_version:unsupported protocol".

Finally I had to install 99.9.1057-1 instead.

nataliapc commented 3 years ago

Don't works too with Linux Mint 20.1 and openfortigui 0.9.4-1_amd64_focal Same error.