On Sat, Sep 20, 2025 at 10:16:24AM -0500, Ian Pilcher wrote:
> I am trying to set up an Apache reverse proxy that will allow me to use
> modern browsers to manage my old "smart" switches. These old switches
> only support TLS 1.0 using the DHE-RSA-AES256-SHA cipher, which uses
> SHA-1 digests. I'll ultimately need to create an Apache configuration,
> but I'm working with openssl s_client right now, because baby steps.
>
> I've noticed a behavior that I don't understand when setting the cipher
> and SECLEVEL. In short, setting "CipherString = DHE-RSA-AES256-
> SHA@SECLEVEL=0" in my configuration allows s_client to connect to one of
> the old switches, but specifying "-cipher DHE-RSA-AES256-SHA@SECLEVEL=0"
> on the command line does not have the same effect.
IIRC the expected. syntax is to use a ":" before "@SECLEVEL", though it
does appear to be "optional".
Looks like you're using OpenSSL on a RedHat or Fedora system. This is
then subject to RedHat's "crypto policies", which by default block the
use of SHA1. On my Fedora 41 system, with my own build of OpenSSL 3.2
(crypto policies aside, mostly similar 3.2 shipped in Fedora) I observe:
$ /opt/openssl/3.2/bin/openssl s_client -cipher DHE-RSA-AES256-SHA@SECLEVEL=0 -starttls smtp -tls1 -connect
127.0.0.1:25 -brief
Connecting to 127.0.0.1
Can't use SSL_get_servername
depth=1 C=US, O=Let's Encrypt, CN=R12
verify error:num=20:unable to get local issuer certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1
Ciphersuite: DHE-RSA-AES256-SHA
Peer certificate: CN=[elided]
Hash used: MD5-SHA1
Signature type: RSA
Verification error: unable to get local issuer certificate
Server Temp Key: DH, 2048 bits
250 CHUNKING
$ /usr/bin/openssl s_client -cipher DHE-RSA-AES256-SHA@SECLEVEL=0 -starttls smtp -tls1 -connect
127.0.0.1:25 -brief
Connecting to 127.0.0.1
Can't use SSL_get_servername
409754D4617F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
409754D4617F0000:error:0A080006:SSL routines:tls_process_key_exchange:EVP lib:ssl/statem/statem_clnt.c:2521:
As you can see, Fedora's OpenSSL does not want to negotiate the MD5-SHA1 TLS 1.0 digest.
> Here is the configuration file that I've created (INSECURE.cnf):
>
> > HOME = .
> > openssl_conf = openssl_init
> > config_diagnostics = 1
> >
> > [openssl_init]
> > providers = provider_sect
> > ssl_conf = ssl_module
> >
> > [provider_sect]
> > default = default_sect
> >
> > [default_sect]
> > activate = 1
> >
> > [ssl_module]
> > system_default = crypto_policy
> >
> > [crypto_policy]
> > CipherString = DHE-RSA-AES256-SHA@SECLEVEL=0
> > Options = UnsafeLegacyServerConnect
You're also overriding the default crypto policy,
/etc/pki/tls/openssl.cnf:
[crypto_policy]
.include = /etc/crypto-policies/back-ends/opensslcnf.config
/etc/crypto-policies/back-ends/opensslcnf.config:
CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
TLS.MinProtocol = TLSv1.2
TLS.MaxProtocol = TLSv1.3
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
[evp_properties]
rh-allow-sha1-signatures = no
> Using this file, s_client connects successfully.
As expected.
> But specifying the cipher and security level on the command line (along
> with -tls1 and -legacy_renegotiation) doesn't work.
As expected.
> Can anyone explain why these two methods of specifying the cipher are
> behaving differently? (And what would I need to put on the command line
> to allow SHA-1 digests?)
See above.
>
> TIA!
>
> (This is all done with OpenSSL 3.2.4 on Fedora 42.)
As deduced from the reported symptoms and settings. This reminds me to
upgrade from Fedora 41 at some point. :-)
--
Viktor. 🇺🇦 Слава Україні!