@olivierlambert this error line from your call shows that the updates are not fixing the issue
140304244799376:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769:
A correct output which you can reproduce with any version openssl higher or equal to 1.1.1 looks like this:
openssl s_client -connect ssl-tools.net:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = ssl-tools.net
verify return:1
---
Certificate chain
0 s:CN = ssl-tools.net
i:C = US, O = Let's Encrypt, CN = E6
1 s:C = US, O = Let's Encrypt, CN = E6
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfDCCAwKgAwIBAgISAwe686407pktUx6L9xPVL1ZsMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDA5MTYxNjMwMTZaFw0yNDEyMTUxNjMwMTVaMBgxFjAUBgNVBAMTDXNz
bC10b29scy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASX0K6Lk50W7c5e
oInqD7aIThmZDpyP+fK8QSP6/bg77XrN/hxovn+ruTYWpfMiBAp4QI0JZbwYvUWs
0YNrpColo4ICEDCCAgwwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQIz+2YvUOQXQMM
lvk9SGwHxLrMZzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggr
BgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAi
BggrBgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzAYBgNVHREEETAPgg1z
c2wtdG9vbHMubmV0MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIE
AgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGR
++E2+wAABAMARzBFAiAndRz0BOt7p6ZPW0LM70zHu0hIsO0FzjSrL566uNLIuQIh
AL0VFL/qfax8P3qWTaXqlrETL6Ro4bDF1BMtZbLhF83nAHcA3+FW66oFr7WcD4Zx
jajAMk6uVtlup/WlagHRwTu+UlwAAAGR++E3xQAABAMASDBGAiEA9kbdYv9Jf+Lt
hE8I2IsYaW0cyTO1KP6Of8IFBn2y/W0CIQCaNM1+tvQ5eYKE3GN0Ln0IYZniWaH5
v7OhnxzdTgm+0jAKBggqhkjOPQQDAwNoADBlAjEAtffvHcb5z4g2MxxdD6aAK7M5
Nfdy0SeeGAgyzsxolMyyFwkMtmLi0svYVvBYznR1AjB1STPF0cvcy8S5CfEbt/sR
0L59P09hLMTvqV2xqumaXo5Upd6JbaF0oLaD8wXpGl0=
-----END CERTIFICATE-----
subject=CN = ssl-tools.net
issuer=C = US, O = Let's Encrypt, CN = E6
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2371 bytes and written 379 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: BC6467F92591807810680DA798C335BDE23409C87BB0A5BC3F2A07F8AD2557B8
Session-ID-ctx:
Resumption PSK: 285BC2D246C8D2026C71B0ADBAC8F93AC7287A44580AECE5B06881AAC701C037
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - 4b ef 37 0e 69 7d 6e f9-2f 15 51 e1 2b 1a 22 78 K.7.i}n./.Q.+."x
0010 - e1 ba 22 dd 99 ed 6a eb-c5 b1 8e 06 3c 63 65 fb .."...j.....<ce.
0020 - a3 a8 14 63 0f bf 43 f2-7a fb c4 cd 3f 3d 7b a0 ...c..C.z...?={.
0030 - 73 cc b0 d1 1d a6 35 30-b9 51 48 1a e8 d5 45 67 s.....50.QH...Eg
0040 - 9a c1 cf bf f3 1b 77 62-e0 91 0e a0 68 3d 5f 7d ......wb....h=_}
0050 - ae 3f d5 1e 58 3c 24 b2-bd 44 4d 22 41 c7 37 b5 .?..X<$..DM"A.7.
0060 - 6b 64 9a dd 72 c2 85 d1-f4 kd..r....
Start Time: 1730967208
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
I guess that the error has to do with https://wiki.openssl.org/index.php/TLS1.3 support was introduced in openssl 1.1.1 and servers which don't allow to downgrade to TLS 1.2 / 1.1 will simply fail in opensll 1.0.2 with the above error line.
As per TLS 1.3: The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECDHE). This has implications for ciphersuite configuration, that looks like the root problem if servers enforce this then openssl 1.0.2 will fail to establish a connection at all.
The next option would be to manually build openssl 1.1.1 in XCP 8.2.1 itself, @olivierlambert could you please test if this steps will work and not break an existing XCP installation ?
# uninstall - this may uninstall xcp-ng-deps as well, don't know if this has breaking impact to XCP
yum remove opensll
# Install required packages
yum install -y make gcc perl-core pcre-devel wget zlib-devel
# Download the latest version of OpenSSL source code
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
# Configure, build and install OpenSSL Uncompress the source file
tar -xzvf openssl-1.1.1k.tar.gz
# Change to the OpenSSL directory
cd openssl-1.1.1k
# Configure the package for compilation
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
# Compile package
make
# Test compiled package
make test
# Install compiled package
make install
# Export library path Create environment variable file
vim /etc/profile.d/openssl.sh
# Add the following content
export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64
# Load the environment variable
source /etc/profile.d/openssl.sh
# Verify the OpenSSL version
openssl version
This two blogs shows how to build openssl 1.1.1 in CentOS 7 manually, i havn't tried them yet in an existing XCP installation:
Blog 1: https://gist.github.com/Bill-tran/5e2ab062a9028bf693c934146249e68c
Blog 2: https://computingforgeeks.com/how-to-install-openssl-1-1-on-centos-rhel-7/?utm_content=cmp-true
Hope it will work
Best regards
User
maybe we could try appling some stuff here ?