Thanks Matt for your reply earlier, following your advice I've edited the following line in my openssl.cnf file:
CipherString = DEFAULT@SECLEVEL=1
and it now works in s_client and curl:
niks@DESKTOP-O2VP5O2:/etc/ssl$ curl https://thankqcrm.accessacloud.com/<snip>/?X-apikey=<snip>
{"Status":"OK","PageIndex":1,"PageSize":15,"PageCount":1,"Columns":[{"Name":"destinationCode","DataType":"Text","MaxLength":20},{"Name":"webDescriptionOverride","DataType":"Text","MaxLength":-1}],"Rows":[{"destinationCode":"BOARDING","webDescriptionOverride":"Boarding"},{"destinationCode":"BURSARYAS","webDescriptionOverride":"Bursaries"},{"destinationCode":"GIVING DAY 2020","webDescriptionOverride":"GIVING DAY 2020"},{"destinationCode":"OTHER","webDescriptionOverride":"Other"},{"destinationCode":"PARTNER","webDescriptionOverride":"Partnerships"},{"destinationCode":"UNRESTRAS","webDescriptionOverride":"Unrestricted"}],"RecordCount":6,"RecordStartIndex":1}
{"Status":"OK","PageIndex":1,"PageSize":15,"PageCount":1,"Columns":[{"Name":"destinationCode","DataType":"Text","MaxLength":20},{"Name":"webDescriptionOverride","DataType":"Text","MaxLength":-1}],"Rows":[{"destinationCode":"BOARDING","webDescriptionOverride":"Boarding"},{"destinationCode":"BURSARYAS","webDescriptionOverride":"Bursaries"},{"destinationCode":"GIVING DAY 2020","webDescriptionOverride":"GIVING DAY 2020"},{"destinationCode":"OTHER","webDescriptionOverride":"Other"},{"destinationCode":"PARTNER","webDescriptionOverride":"Partnerships"},{"destinationCode":"UNRESTRAS","webDescriptionOverride":"Unrestricted"}],"RecordCount":6,"RecordStartIndex":1}
Thanks so much for the help resolving the issue.
As for going back to the software vendor, I absolutely want to but don't hold out too much hope they will change anything.
I'm basically going to say this:
The certificate chain contains two redundant root certificates, these should be removed as there is no need to send root certificates and because they are signed with SHA1 stricter servers like Debian are dropping the connection.
Does that sound about right?
As for the conversation with Viktor, it's all over my head! Can I just ignore and get back to work? Thanks again
Niki
On Wed, 11 Mar 2020 at 15:33, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Wed, Mar 11, 2020 at 11:31:51AM -0400, Viktor Dukhovni wrote:
> I think the server could be OpenSSL, because why I made sure that
s/why/while/.
> self-signed CA signatures are not subjected to security levels in
> x509_vfy.c, the same exclusion does not appear to be present in:
>
> int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)
> [...]
--
Viktor.
Niki Dinsey
IS Manager
07974 214718
01235 849061 (x261)
Save the date: Abingdon's first 24hr Giving Day - 18 March 2020.
Abingdon School: A company limited by guarantee Registered in England and Wales. Company No. 3625063
Registered Office:
Abingdon School
Park Road
Abingdon
OX14 1DE
Registered Charity No. 1071298
All information in this message and attachments is confidential and may be legally privileged. Only intended recipients are authorised to use it. E-mail transmissions are not guaranteed to be secure or error free and the sender does not accept liability for such errors or omissions. The company will not accept any liability in respect of such communication that violates our ICT policies.