Hello, do you use the default provider or do you configure some other providers such as the fips provider? Is this a regular OpenSSL build (which particular version is used?) or is this some Linux distribution provided build? Regards, Tomas Mraz, OpenSSL On Fri, 2024-04-19 at 01:27 +0000, Yuko Doki (Fujitsu) via openssl- users wrote: > Hello OpenSSL users' community, > I still haven't been able to solve the problem of TLS1.0 and LS1.1 > connection error with OpenSSL3.0. > If anyone knows a solution, please advise. > > I will explain the problem again. > ---- > I am developing an application using the OpenSSL 3.0 API library. > When I tested the connection using TLSv1.0 and TLSv1.1, I got a > handshake error. > Successful with TLS1.2 and TLS1.3. > > I got some advice here, so I set "DEFAULT:@SECLEVEL=0" or > "ALL:@SECLEVEL=0" > to the argument string of SSL_CTX_set_cipher_list() and tried > connecting. > However, the following error occurred again. > > [client side error] > error:0A000438:SSL routines::tlsv1 alert internal error > (detail: ssl/statem/statem_srvr.c line 2684 - do_sigver_init()) > > [server side error] > error:03000098:digital envelope routines::invalid digest > (detail: crypto/evp/m_sigver.c line 343 - > tls_construct_server_key_exchange()) > error:0A0C0103:SSL routines::internal error > (detail: ssl/record/rec_layer_s3.c line 1600 - ssl3_read_bytes()) > ---- > > Any advice would be greatly appreciated. > > Kind regards, > Yuko Doki > > -----Original Message----- > From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of > Yuko Doki (Fujitsu) via openssl-users > Sent: Thursday, April 11, 2024 3:41 PM > To: 'Tomas Mraz' <tomas@xxxxxxxxxxx>; openssl-users@xxxxxxxxxxx > Subject: RE: TLSv1.0 on OpenSSL 3.0-API > > Hello OpenSSL users' community, > I still haven't been able to resolve the issue. > > After that, I tried some additional cipher strings, but I got the > same error. > The string I tried this time is as follows. > "ALL:@SECLEVEL=0" > "ECDHE-RSA-AES256-SHA:@SECLEVEL=0" > > I would appreciate any further advice. > > Kind regards, > Yuko Doki > > -----Original Message----- > From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of > Yuko Doki (Fujitsu) via openssl-users > Sent: Monday, April 8, 2024 11:58 AM > To: 'Tomas Mraz' <tomas@xxxxxxxxxxx>; openssl-users@xxxxxxxxxxx > Subject: RE: TLSv1.0 on OpenSSL 3.0-API > > Thank you for your advice, Thomas. > > I added "@SECLEVEL=0" to the cipher string and tried. > But I got a handshake error again. > Note: I did not try SSL_CTX_set_security_level() to avoid changing > the applications sources. > > The errors are as follows. > [client side] > error:0A000438:SSL routines::tlsv1 alert internal error > (detail: ssl/statem/statem_srvr.c line 2684 - do_sigver_init()) > [server side] > error:03000098:digital envelope routines::invalid digest > (detail: crypto/evp/m_sigver.c line 343 - > tls_construct_server_key_exchange()) > error:0A0C0103:SSL routines::internal error > (detail: ssl/record/rec_layer_s3.c line 1600 - ssl3_read_bytes()) > > The implementation for setting protocol version and cipher is as > follows. > SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); > SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); > SSL_CTX_set_cipher_list(ctx, "DEFAULT:@SECLEVEL=0"); > > Could you please tell me what is the problem and how to fix it? > > Kind regards, > Yuko Doki > > -----Original Message----- > From: Tomas Mraz <tomas@xxxxxxxxxxx> > Sent: Friday, April 5, 2024 3:47 PM > To: Doki, Yuko/道木 裕子 <doki.yuko@xxxxxxxxxxx>; > openssl-users@xxxxxxxxxxx > Subject: Re: TLSv1.0 on OpenSSL 3.0-API > > These versions require SHA1 to operate. However security bits for > this algorithm was downgraded due to the known weaknesses and > collision attacks. For that reason you have to use @SECLEVEL=0 in the > cipher string or call SSL_CTX_set_security_level() to make TLS-1.0 > and 1.1 work. > https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html > > > Regards, > > Tomas Mraz, OpenSSL > > On Fri, 2024-04-05 at 05:55 +0000, Yuko Doki (Fujitsu) via openssl- > users wrote: > > Hello OpenSSL users' community, > > This is my first time posting. > > > > I am developing an application using the OpenSSL API library. > > And now I'm trying to migrate from OpenSSL 1.1.1 to 3.0. > > > > The application supports TLS protocol versions from TLSv1.0 to 1.3, > > but with OpenSSL 3.0, TLSv1.0 and TLSv1.1 resulted in a handshake > > error. > > > > The errors are as follows. > > [client side] > > error:0A000438:SSL routines::tlsv1 alert internal error [server > > side] > > error:0A000076:SSL routines::no suitable signature algorithm > > > > The TLS protocol version is set using the following functions. > > SSL_CTX_set_min_proto_version() > > SSL_CTX_set_max_proto_version() > > No cipher suite is set. (Automatically selected by OpenSSL.) > > > > This implementation worked fine with OpenSSL 1.1.1. > > Is OpenSSL 3.0 not supporting these protocol versions? > > I would appreciate any advice on how to use TLSv1.0 or TLSv1.1 with > > OpenSSL 3.0. > > > > In addition, the operating environment is as follows. > > OS: Red Hat Enterprise Linux release 9.3 OpenSSL : OpenSSL 3.0.7 1 > > Nov > > 2022 (Library: OpenSSL 3.0.7 1 Nov > > 2022) > > > > Kind regards, > > Yuko Doki > > > > -- > Tomáš Mráz, OpenSSL > -- Tomáš Mráz, OpenSSL
