Quantcast

Help with "tlsv1 alert insufficient security"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Help with "tlsv1 alert insufficient security"

Joseph Southwell
We upgraded from 0.9.8 to 1.0.2 and now we are seeing that message when we try connecting to a server that previously worked. What does it mean and how can I figure out how to work around it? I can’t get the server to change anything and I need to be able to continue connecting to it. 

openssl s_client -connect xxxxxxx.com:#### -starttls ftp

CONNECTED(00000170)
4960:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert insufficient security:.\ssl\s23_clnt.c:770:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 88 bytes and written 317 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1487578706
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with "tlsv1 alert insufficient security"

Salz, Rich
Later versions ratched up the security.  Try -ciphers DEFAULT@SECLEVEL=0

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with "tlsv1 alert insufficient security"

Matt Caswell-2
In reply to this post by Joseph Southwell


On 24/02/17 16:15, Joseph Southwell wrote:

> We upgraded from 0.9.8 to 1.0.2 and now we are seeing that message when
> we try connecting to a server that previously worked. What does it mean
> and how can I figure out how to work around it? I can’t get the server
> to change anything and I need to be able to continue connecting to it.
>
> openssl s_client -connect xxxxxxx.com <http://xxxxxxx.com>:####
> -starttls ftp
>
> CONNECTED(00000170)
> 4960:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
> insufficient security:.\ssl\s23_clnt.c:770:



That is actually quite strange. This is the server sending the OpenSSL
client an alert to say that you have insufficient security in your
ClientHello. Without access to the server it is quite difficult to tell
why. What is strange is the default security has been increased
significantly between 0.9.8 and 1.0.2. Possibly some ciphers/parameters
that were previously offered are no longer offered by default in 1.0.2 -
and therefore the server can't find one it likes.

Rich's suggestion is a good one, but unfortunately only applies to
version 1.1.0 - it won't work in 1.0.2. You might want to try compiling
with the "enable-weak-ssl-ciphers" config option to see if that makes a
difference.

Alternatively, try and find out what connection params are used when
connecting from 0.9.8. That might give you a clue as to what settings
are acceptable to the server.

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...