OpenSSL v1.1.1 Ubuntu 20 TLSv1 - no protocols available

Server supports TLSv1 and not TLSv1.1 and above

Ubuntu 20.x openssl version does not support TLSv1 and below.

It could be that the openssl.cnf file has been updated to add a more secure connection defaults. It depends on the OS and the flavor.

Determine the location of the configuration file (for openssl for your flavor of linux) and figure out if there are any restrictions on lowering the TLS versions or what it is setup to by default.

Try the following to see if the server supports TLSv1.1 and above:

 nmap --script ssl-enum-ciphers -p 443 your_host_name

Check the output to see the ciphers and the corresponding versions.

| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong

I've just solved my problem with - https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

Just quoting this link:

You need to add this to the beginning of your config file:

openssl_conf = default_conf

And then this to the end:

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

The comment on the above link said:

Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF defined to point at the location of your config file:

export OPENSSL_CONF=/path/to/my/openssl.cnf

This way you can make changes without having to impact your entire system.

I used the second choice "export OPENSSL_CONF=/path/to/my/openssl.cnf" and worked perfectly!


If you get error 14187180 like I did after trying the above answer https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level (or otherwise) you might like to try the --dtls-ciphers=LEGACY with openconnect. I needed to both downgrade to TLSv1.1 as above (MinProtocol = TLSv1.1) and add this to connect to a customer's Cisco Anyconnect VPN.

echo password | OPENSSL_CONF=/etc/ssl/openssl_tls_1_0.cnf openconnect -v -g VPNGROUP -u username --dtls-ciphers=LEGACY --passwd-on-stdin vpn.domain

The solution that worked for me was to create an openssl_tls1.cnf containing:

openssl_conf = default_conf

[ default_conf ]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

Then setting OPENSSL_CONF=/path/to/openssl_tls1.cnf allows connecting with the lower protocol, as in

OPENSSL_CONF=openssl_tls1.cnf wget https://foo.bar

Tags:

Ubuntu

Openssl