Hallo, habe eine neue VM mit Ubuntu (Mate) 2204 erzeugt. Das Zertifikat von unserer Firma ist installiert - sonst aber auch nichts. Nun funktioniert curl nicht.
Bearbeitet von kB:
Fehlermeldung: SSL/ curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled
curl -v https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 216.58.212.176:443... * Connected to storage.googleapis.com (216.58.212.176) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS header, Certificate Status (22): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [89 bytes data] * TLSv1.2 (OUT), TLS header, Unknown (21): } [5 bytes data] * TLSv1.2 (OUT), TLS alert, handshake failure (552): } [2 bytes data] * error:0A000152:SSL routines::unsafe legacy renegotiation disabled 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled * Hostname storage.googleapis.com was found in DNS cache * Trying 216.58.212.176:443... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to storage.googleapis.com (216.58.212.176) port 443 (#1) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* TLSv1.2 (IN), TLS header, Certificate Status (22): { [5 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [89 bytes data] * TLSv1.2 (OUT), TLS header, Unknown (21): } [5 bytes data] * TLSv1.2 (OUT), TLS alert, handshake failure (552): } [2 bytes data] * error:0A000152:SSL routines::unsafe legacy renegotiation disabled 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 1 curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled
Im alten Ubuntu sah das noch so aus:
user@vm:/etc/ssl/certs$ curl -v https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repoq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 142.250.74.208:443... * TCP_NODELAY set * Connected to storage.googleapis.com (142.250.74.208) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [89 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [6172 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [148 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [70 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=storage.googleapis.com * start date: Mar 20 08:29:07 2023 GMT * expire date: Jun 12 08:29:06 2023 GMT * subjectAltName: host "storage.googleapis.com" matched cert's "storage.googleapis.com" * issuer: xxxxxxxxxxxxxxxxxxxxxx * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 } [5 bytes data] * Using Stream ID: 1 (easy handle 0x55649273a850) } [5 bytes data] > GET /git-repo-downloads/repo HTTP/2 > Host: storage.googleapis.com > user-agent: curl/7.68.0 > accept: */* > { [5 bytes data] * Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)! } [5 bytes data] * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! } [5 bytes data] < HTTP/2 200 < x-guploader-uploadid: ADPycdvzwUER9U_8agsIGkSiDSq9VylHzagyz17QiiEniJ1Xtvv6grhK_VZcGKDKKaUKKfZbSvP5sk1l00FimrgLrLj5lw < x-goog-generation: 1678460601518001 < x-goog-metageneration: 1 < x-goog-stored-content-encoding: identity < x-goog-stored-content-length: 45787 < content-language: en < x-goog-hash: crc32c=wgP5CQ== < x-goog-hash: md5=rzP9NaqF7zyn599AM4JIBg== < x-goog-storage-class: STANDARD < accept-ranges: bytes < content-length: 45787 < server: UploadServer < date: Tue, 11 Apr 2023 06:22:34 GMT < expires: Tue, 11 Apr 2023 07:22:34 GMT < cache-control: public, max-age=3600 < age: 311 < last-modified: Fri, 10 Mar 2023 15:03:21 GMT < etag: "af33fd35aa85ef3ca7e7df4033824806" < content-type: application/octet-stream < alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 < 0 45787 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0{ [5 bytes data] 100 45787 100 45787 0 0 40808 0 0:00:01 0:00:01 --:--:-- 40808 * Connection #0 to host storage.googleapis.com left intact
Da ich in einem Firmennetz bin hab ich das enstprechende Zertifikat installiert - sind auch in beiden VMs das gleiche. Ich kann auch mit dem 22.04 nun per Firefox im Internet browsen ohne Fehlermeldungen.
Ich bin nicht so wirklich fit damit was die logs oben mir sagen.
Meine Vermutung ist, dass im Ubuntu 22.04 die Security Options hochgefahren wurden und nun nicht mehr alles geht. Weiß jemand mehr ?
Moderiert von Berlin_1946:
Dieses Thema ist verschoben worden. Bitte beachte die als wichtig markierten Themen („Welche Themen gehören hier her und welche nicht?“)!
Bearbeitet von kB:
Bitte wähle in Zukunft einen aussagekräftigen Titel!
Moderiert von kB:
Aus dem Forum „Netzwerk und Internetzugang einrichten“ in einen besser passenden Forenbereich verschoben.