500 CURL ERROR(35) SSL connect error when mirroring Suse SMT server

  • 7025075
  • 12-Apr-2021
  • 13-Apr-2021

Environment

SUSE SMT server on SLES 11 SP3

Situation

When trying to mirror repositories on a SUSE SLES 11 SP3 or SP4, an error is displayed:
500 CURL ERROR(35) SSL connect error

Resolution

There are two options:

1. Upgrade SUSE SLES to version 12

2. Deploy the MFSMT ( Miro Focus SMT) server that runs in OES2018 SP2. This is the recommended solution from Micro Focus.

Cause

Micro Focus certificates have been renewed and security has been tightened up. Micro Focus servers only allow TLSv1.2 and above connections.

SMT 11 is based on SLES 11 SP3 or SP4 which uses openssl 0.9.8 which doesn't support TLS 1.1 correctly, hence the error.
MF-SMT is based on SLES 12 which uses openssl 1.0.0 and hence, has support for TLS 1.2 and newer.

Additional Information

The smt-mirror log shows:
2021-04-09 10:48:55 SMT::Mirror::Job - [error]  E 'https://nu.novell.com/repo/$RCE/Filr-4-Updates/sle-12-x86_64/repodata/repomd.xml': 500 CURL ERROR(35) SSL connect error
curl -v --trace - https://nu.novell.com/repo/$RCE/Filr-4-Updates/sle-12-x86_64/repodata/repomd.xml shows:
== Info: successfully set certificate verify locations:
== Info:   CAfile: none
CApath: /etc/ssl/certs/
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 135 bytes (0x87)
0000: 01 00 00 83 03 01 60 70 1f 5d d6 f9 ce 04 e3 c4 ......`p.]......
0010: ea 49 76 27 b1 36 09 40 bb 07 f0 ff 08 30 ac 8f .Iv'.6.@.....0..
0020: f6 36 b7 d1 1c 03 00 00 44 c0 14 c0 13 c0 12 c0 .6......D.......
0030: 11 c0 0f c0 0e c0 0d c0 0c c0 0a c0 09 c0 08 c0 ................
0040: 07 c0 05 c0 04 c0 03 c0 02 00 88 00 87 00 84 00 ................
0050: 45 00 44 00 41 00 39 00 38 00 35 00 33 00 32 00 E.D.A.9.8.5.3.2.
0060: 2f 00 16 00 13 00 0a 00 05 00 04 00 ff 01 00 00 /...............
0070: 16 00 00 00 12 00 10 00 00 0d 6e 75 2e 6e 6f 76 ..........nu.nov
0080: 65 6c 6c 2e 63 6f 6d                            ell.com
== Info: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
== Info: Closing connection #0