我升级到almalinux 10 openssl 连接失败

hkl · November 17, 2025, 9:01am

我升级到almalinux 10 openssl 连接失败，没升级之前是正常的

openssl s_client -connect 10.100.190.57:443

Connecting to 10.100.190.57
CONNECTED(00000003)
C0E236DE6A7F0000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:909:SSL alert number 40

no peer certificate available

No client certificate CA names sent

Negotiated TLS1.3 group:

SSL handshake has read 7 bytes and written 286 bytes

Verification: OK

New, (NONE), Cipher is (NONE)

This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

[root@zabbix-server conf.d]#

这个怎么解决，有人知道吗，谢谢，thank you.

redadmin · November 17, 2025, 10:54am

Hello.

What kind of server is behind 10.100.190.57:443? Apache? Nginx?

Based on the logs, it appears the TLS negotiation is failing, and the server seems to only accept older TLS versions or cipher suites.

If you could share the TLS settings on the server side, within what you know, it would help narrow down the cause a bit more.

Thank you.

hkl · November 18, 2025, 12:48am

10.100.190.57，这是一台存储服务器。

我现在用是部署了一台almalinux10 版本的zabbix监控服务器用来监控这个HP存储服务器。

在这之前我用的是almalinux9是正常的，是我升级到almalinux10之后，HP存储服务器的Tls版本过低了，它不支持almalinux10 新的Tls协议，所以我不知道应该如何在almalinux10这台zabbix监控服务器里做修改，以至于可以支持Hp存储服务器里比较老的TLS协议。

我不能改变10.100.190.57 HP存储服务器的TLS版本

谢谢你的回答，谢谢。

redadmin · November 18, 2025, 1:04am

Hello,

On AlmaLinux 10 (RHEL compatible), you can try relaxing the system-wide crypto policy so that older TLS/ciphers are allowed:

sudo update-crypto-policies --set LEGACY
sudo reboot

This may allow Zabbix/OpenSSL to connect to the HP storage again, since it only supports old TLS.
Please note that LEGACY weakens security for the whole system, so it’s safer to use this only on a dedicated monitoring node.

Thanks

hkl · November 18, 2025, 1:07am

我在另外一台almalinux 9 上测试10.100.190.57 HP服务器是下面这个结果。

[root@librenms ~]# openssl s_client -connect 10.100.190.57:443

Connecting to 10.100.190.57
CONNECTED(00000003)
Can’t use SSL_get_servername
depth=0 C=US, ST=CO, O=HP, OU=MSA-Storage, CN=10.100.190.57
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=CO, O=HP, OU=MSA-Storage, CN=10.100.190.57
verify return:1

Certificate chain

0 s:C=US, ST=CO, O=HP, OU=MSA-Storage, CN=10.100.190.57
i:C=US, ST=CO, O=HP, OU=MSA-Storage, CN=10.100.190.57
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Feb 18 14:18:55 2023 GMT; NotAfter: Feb 15 14:18:55 2033 GMT

Server certificate

-----BEGIN CERTIFICATE-----
MIIDJjCCAg4CCQDFDdpI7TQc2DANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ08xCzAJBgNVBAoMAkhQMRQwEgYDVQQLDAtNU0EtU3RvcmFn
ZTEWMBQGA1UEAwwNMTAuMTAwLjE5MC41NzAeFw0yMzAyMTgxNDE4NTVaFw0zMzAy
MTUxNDE4NTVaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzELMAkGA1UECgwC
SFAxFDASBgNVBAsMC01TQS1TdG9yYWdlMRYwFAYDVQQDDA0xMC4xMDAuMTkwLjU3
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2fG22hPkDLL3qmuCHif5
GB5j/u7L9GVC6Hlosfzq03Rxg4gyzaF0DlrFqrqk7nMdh7caE85tg4097Lb7mUwV
9OFD0bBpTNW8AQh/QLhDuJGelQPaRKoN3zAaR0i6vK53XmmuTZpogKZnQbjwBAAm
BMi9t8XIi4e4ZrEBxIyPO9SUODhHxMccpbjL01GWwcv5UKorL6c/mkZYPJG8fvWA
9x1zq6v5hHkwk48r1DYr8Jne8LPuy/KsUFuT3+THLv3800mDYf2/tl2GQeusObNQ
aKp9Nf9eFn+DhPP8GdvSxFEyO9Olra12JIlR0goaidu09JFDi1Kj7S5o5MZdoqXk
DwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDMGAG1MnRjY1rID2w6ZXftBlkkECc4
4pvLWjC4ZLaeLUBglJjMW2KQdarKIGheCSqFJfScZ09ajA8hos2V/CKRitlWatYd
ZHZbTMbuTFFZEtjgMKaOJZEdvF3nP9cQnrGXil8KPnLT0RWQ+hPdbpu0ZVIbKA7u
nHHkSmMKp8zbH2GKwNAuaBpV8zBf7CBJXAzJLXjTsKVMrAUWnouY/EsjvBTTeQ9/
VokkOR1MuW3kKzlvtUMbyqqtFAWX7AEGUnPJjWJ2Uf4grBMshVnID1pEkMT+F6jU
BTC25WeAVGzCPnBerxtzoe7peH97oUVzaujd4lj90y0JS2cWPiRD8rTN
-----END CERTIFICATE-----
subject=C=US, ST=CO, O=HP, OU=MSA-Storage, CN=10.100.190.57
issuer=C=US, ST=CO, O=HP, OU=MSA-Storage, CN=10.100.190.57

No client certificate CA names sent

SSL handshake has read 1118 bytes and written 627 bytes

Verification error: self-signed certificate

New, TLSv1.2, Cipher is AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: A2590E1D949B84CC5BD7C17D7E26BE9D1313D42BE4FD758AC6FCC85E544D3472
Session-ID-ctx:
Master-Key: F9AAF851CE3806174EC0215859028869402766980E6171DE423DBDD1AA1979AF1FEBDD8340A8C1400B7721DECF0E1C72
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ce 37 d6 87 50 30 ba 8b-53 c1 46 68 b5 dc eb af .7..P0..S.Fh…
0010 - c9 7b e6 43 11 1a 99 00-63 4d ba 16 8b e3 55 64 .{.C…cM…Ud
0020 - 26 7d 9a 8a c3 dc b7 a5-41 4d 16 f9 7b d6 1c 25 &}…AM..{..%
0030 - 95 f1 22 9e 81 1c 1f 6d-e2 bf ec d3 3f c2 13 80 .."…m…?..
0040 - 0f 6a a5 bb 20 e7 9a 47-d6 91 a6 13 4d e8 e7 7f .j.. ..G…M…
0050 - 0f ce 83 40 8e f1 18 7d-dc bc 41 3a 0b c8 50 9a …@…}..A:..P.
0060 - cc fa 03 ab c6 2b d2 ff-71 72 28 cb d3 35 98 9a …+..qr(..5..
0070 - d9 f9 67 c4 9c bf 3d fe-94 2c 84 93 38 43 6c ee ..g…=..,..8Cl.
0080 - a2 7e 2c e4 ac c7 de b8-1f 74 aa 1b c6 b0 ed a5 .~,…t…
0090 - 7f bb 39 85 cd 13 be f2-58 60 f9 bc ad 18 00 b2 ..9…X`…

Start Time: 1763427574
Timeout   : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no

HTTP/1.1 200 OK
Content-Type: text/html; charset=“utf-8”
Content-Length: 166
X-Frame-Options: SAMEORIGIN

1153 Internal Server Error

Internal Server Error

40C7D3FE617F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:696: [root@librenms ~]#

thank you

redadmin · November 18, 2025, 1:15am

On AlmaLinux 10, could you try forcing TLS 1.2 like this:

openssl s_client -connect 10.100.190.57:443 -tls1_2

and share the output? It will help us see if the problem is related to TLS 1.3 or the crypto policy on AlmaLinux 10.

hkl · November 18, 2025, 1:35am

I try it but The problem still exists。

[root@zabbix-server ~]# openssl s_client -connect 10.100.190.57:443 -tls1_2

Connecting to 10.100.190.57
CONNECTED(00000003)
C0A230E64A7F0000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:909:SSL alert number 40

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 172 bytes

Verification: OK

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1763429507
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

[root@zabbix-server ~]#

thank you.

redadmin · November 24, 2025, 10:39pm

Hi,

If the same OpenSSL s_client works on AlmaLinux 9 but fails on AlmaLinux 10, it may be due to the stricter system-wide crypto policy in AlmaLinux 10.

You can test this by temporarily allowing legacy ciphers:

sudo update-crypto-policies --set LEGACY
sudo reboot

I cannot test this environment myself, so please try this at your own risk.

Thanks.