Run nagstamon with legacy TLSv1 ubuntu 22.04 openssl3

I'm trying to connect nagstamon 3.8 to old nagios server 3.2.2.
When i trying to connect i get error

'[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:997)'

Two years above i haved the same problem. But then i find solution: Ubuntu 20.04 - how to set lower SSL security level?

Official release notes says "SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0, except when RSA key exchange without SHA1 is used"

Now editing /etc/ssl/openssl.cnf don't have result. openssl.cnf looks like that:

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = ALL:@SECLEVEL=0   

Output from openssl ciphers -s -v -tls1 looks the same in my ubuntu 20.04 and 22.04 but in 20.04 all works fine unlike 22.04.

How do i can enable TLSv1 support for nagstamon or any other application in ubuntu 22.04?

Same issue here, the thing is TLSv1 standar for encryption was found insecure, so OpenSSL had to eliminate it from the software. I'm afraid TLSv1 is gone for good.

So after three hours of trying to reconfigure OpenSSL 3.0.2 un Ubuntu 22.04, I took a deep breath and I thought "you must think out of the box", so I came with an alternative solution.

MySoftware in TLSWhatEverVersion > HTTPSApache2Proxy > WebservicesServerInTLSv1

So the idea is to use Apache2 to translate from TLSv1 to whatever you need and backwards.

The solution is to use "Apache2" as a reverse proxy to translate from TLSv1 to what ever I ask him through https, and it works great. It took me about 1 hour to configur "Apache2" trying different configurations, and activating the different modules needed to do the task.

First you hae to install "Apache2":

• sudo apt install apache2

Second you have to test it:

• http://<WhatEverIp> in your web browser.

Third, enable SSL module in "Apache2":

• a2enmod ssl

Fourth, enable Proxy module on "Apache2":

• a2enmod proxy

And at last you hace to add the virtual host to your sites-enabled config file (/etc/apache2/sites-enabled/000-default.conf):

• Add at the end of the file:

<VirtualHost *:port>

        ProxyPass / https://<TLSv1 IP of origin>:<port>/

        ProxyPassReverse / https://<TLSv1 IP of origin>:<port>/

        SSLEngine on

        SSLProxyEngine on

        SSLProxyEngine on

        SSLProxyVerify none

        SSLProxyCheckPeerCN off

        SSLProxyCheckPeerName off

        SSLProxyCheckPeerExpire off

        SSLCipherSuite AES256+EECDH:AES256+EDH

        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

        SSLCertificateFile /etc/apache2/certs/<selfSignedCertName>.crt

        SSLCertificateKeyFile /etc/apache2/certs/<selfSignedCertName>.key

</VirtualHost>

Aditional: to generate self signed certificates:

 mkdir /etc/apache2/certs

 cd /etc/apache2/certs

 openssl genrsa -out mysite.com.key 1024

 openssl req -new -key mysite.com.key -out mysite.com.csr

 openssl x509 -req -days 100000 -in mysite.com.csr -signkey mysite.com.key -out mysite.com.crt

If you have any questions, please ask them, because my distorted brain some times works in mysterious ways.

Kind regards from Chile.

Links for recreating the solution:

• https://stackoverflow.com/questions/61796487/how-to-hide-weak-ssl-behind-a-proxy
• https://forums.centos.org/viewtopic.php?t=65408
• http://www.giuseppeurso.eu/en/redirect-from-http-to-https-and-viceversa-with-apache-proxypass/
• https://stackoverflow.com/questions/18872482/error-during-ssl-handshake-with-remote-server