OpenSSL v1.1.1 Ubuntu 20 TLSv1 - no protocols available
Server supports TLSv1 and not TLSv1.1 and above
Ubuntu 20.x openssl version does not support TLSv1 and below.
It could be that the openssl.cnf file has been updated to add a more secure connection defaults. It depends on the OS and the flavor.
Determine the location of the configuration file (for openssl for your flavor of linux) and figure out if there are any restrictions on lowering the TLS versions or what it is setup to by default.
Try the following to see if the server supports TLSv1.1 and above:
nmap --script ssl-enum-ciphers -p 443 your_host_name
Check the output to see the ciphers and the corresponding versions.
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
I've just solved my problem with - https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
Just quoting this link:
You need to add this to the beginning of your config file:
openssl_conf = default_conf
And then this to the end:
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
The comment on the above link said:
Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF defined to point at the location of your config file:
export OPENSSL_CONF=/path/to/my/openssl.cnf
This way you can make changes without having to impact your entire system.
I used the second choice "export OPENSSL_CONF=/path/to/my/openssl.cnf" and worked perfectly!
If you get error 14187180 like I did after trying the above answer https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level (or otherwise) you might like to try the --dtls-ciphers=LEGACY with openconnect. I needed to both downgrade to TLSv1.1 as above (MinProtocol = TLSv1.1) and add this to connect to a customer's Cisco Anyconnect VPN.
echo password | OPENSSL_CONF=/etc/ssl/openssl_tls_1_0.cnf openconnect -v -g VPNGROUP -u username --dtls-ciphers=LEGACY --passwd-on-stdin vpn.domain
The solution that worked for me was to create an openssl_tls1.cnf
containing:
openssl_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
Then setting OPENSSL_CONF=/path/to/openssl_tls1.cnf
allows connecting with the lower protocol, as in
OPENSSL_CONF=openssl_tls1.cnf wget https://foo.bar