in reply to Re^3: Internal SSL error after Ubuntu update
in thread Internal SSL error after Ubuntu update

ssl_choose_client_version:unsupported protocol

That does suggest to me that the newest protocol version supported by the server is older than the oldest protocol permitted by the upgraded client. Given that your working client shows a negotiated TLSv1.1 that's probably the highest/newest supported by the server.

Very likely. The LDAP server is ancient, the last update must have been in 2011. Replacement is planned, but for now, we have to work with that old installation.

check the MinProtocol setting in the openssl config of your upgraded machine. You may have to configure it downwards towards TLSv1.1 to permit the connection.

Following https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level, I modified the openssl configuration to allow TLS v1.1. openssl sclient is now able to connect.

Perl still gets the same old error:

SSL connect attempt failed error:14161044:SSL routines:state_machine:internal error

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Replies are listed 'Best First'.
Re^5: Internal SSL error after Ubuntu update
by hippo (Archbishop) on Jan 22, 2021 at 15:11 UTC

    I think you will have to look at setting SSL_version in the IO::Socket::SSL constructor (or a higher-level module which passes it through) at that rate.

    🦛

[reply]
      I think you will have to look at setting SSL_version in the IO::Socket::SSL constructor (or a higher-level module which passes it through) at that rate.

      SUCCESS!

      In Company::LDAP::new() (see Internal SSL error after Ubuntu update), you can find this line:

      $opts{'sslversion'}='tlsv1_1';

      [download]

      This sets the parameters for Net::LDAP->start_tls(), sslversion is passed to IO::Socket::SSL. So I've limited the SSL handshake to TLS v1.1. Commenting out that line restores the IO::Socket::SSL defaults, and those simply work. Yeah!

      I've no clue why I added that line, probably because of a long debugging session some years ago. At some point, it must have worked, and from that point on, the golden rule "never change a running system" applied.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom