On 2022-12-10, Alceu Rodrigues de Freitas Junior <glasswal...@yahoo.com.br> wrote: > If I read correctly, the Mikrotik is using an SSLv3 certificate, which I > guess shouldn't be in use anymore.
There's no such thing as "an SSLv3 certificate", they are all just X.509 certs. The sslv3 refers to the type of alert, sslv3 alerts are still used in TLS; SSLv3 itself hasn't been supported for years. It doesn't necessarily use a certificate anyway, it may well be using ADH for this. Federico, do you have a cert configured for the api-ssl service on the routeros device, in "/ip service print"? > Em 10/12/2022 17:01, Federico Giannici escreveu: >> Since I upgraded from OpenBSD 7.1 to 7.2 (amd64) I'm no longer able to >> use IO::Socket::SSL perl library to connect to some devices (Mikrotik >> routers, via their API). >> >> This is the only debug info I was able to obtain: >> >> DEBUG: .../IO/Socket/SSL.pm:842: local error: SSL connect attempt failed >> error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake >> failure Maybe try connecting with openssl s_client too? That would help show if it's a problem specific to IO::Socket::SSL or something more general. >> Unfortunately it seems that both perl functions >> Net::SSLeay::set_security_level() and >> Net::SSLeay::CTX_set_security_level() don't work. I get the following >> error. Maybe they are not implemented in our version of Net::SSLeay perl >> library? The security level stuff was only recently added to libressl, it is still hidden behind #ifndef for libressl in p5-Net-SSLeay. I think you can set it in the ciphers string though, if it is ADH maybe you need something like "ADH:ALL:@SECLEVEL=0" (though in that case you would probably be better advised to generate and use certificates instead). -- Please keep replies on the mailing list.
