<div dir="ltr">Thanks Matt for your reply earlier, following your advice I've edited the following line in my openssl.cnf file:<div><br></div><div>CipherString = DEFAULT@SECLEVEL=1</div><div><br></div><div>and it now works in s_client and curl:</div><div><br></div><div>niks@DESKTOP-O2VP5O2:/etc/ssl$ curl <a href="https://thankqcrm.accessacloud.com/" target="_blank">https://thankqcrm.accessacloud.com/</a><snip>/?X-apikey=<snip><br>{"Status":"OK","PageIndex":1,"PageSize":15,"PageCount":1,"Columns":[{"Name":"destinationCode","DataType":"Text","MaxLength":20},{"Name":"webDescriptionOverride","DataType":"Text","MaxLength":-1}],"Rows":[{"destinationCode":"BOARDING","webDescriptionOverride":"Boarding"},{"destinationCode":"BURSARYAS","webDescriptionOverride":"Bursaries"},{"destinationCode":"GIVING DAY 2020","webDescriptionOverride":"GIVING DAY 2020"},{"destinationCode":"OTHER","webDescriptionOverride":"Other"},{"destinationCode":"PARTNER","webDescriptionOverride":"Partnerships"},{"destinationCode":"UNRESTRAS","webDescriptionOverride":"Unrestricted"}],"RecordCount":6,"RecordStartIndex":1}</div><div><br></div><div>Thanks so much for the help resolving the issue.</div><div><br></div><div>As for going back to the software vendor, I absolutely want to but don't hold out too much hope they will change anything. </div><div>I'm basically going to say this:</div><div><br></div><div>The certificate chain contains two redundant root certificates, these should be removed as there is no need to send root certificates and because they are signed with SHA1 stricter servers like Debian are dropping the connection.</div><div><br></div><div>Does that sound about right?</div><div><br></div><div>As for the conversation with Viktor, it's all over my head! Can I just ignore and get back to work? Thanks again</div><div><br></div><div>Niki </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 11 Mar 2020 at 15:33, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org" target="_blank">openssl-users@dukhovni.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Mar 11, 2020 at 11:31:51AM -0400, Viktor Dukhovni wrote:<br>
<br>
> I think the server could be OpenSSL, because why I made sure that<br>
<br>
s/why/while/.<br>
<br>
> self-signed CA signatures are not subjected to security levels in<br>
> x509_vfy.c, the same exclusion does not appear to be present in:<br>
> <br>
> int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee)<br>
> [...]<br>
<br>
-- <br>
Viktor.<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:12.8px">Niki Dinsey</span><br></div><div><div>IS Manager</div><div>07974 214718</div></div><div>01235 849061 (x261)</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br>
<span style="color:rgb(34,34,34)"><font size="3">Save the date: Abingdon's first 24hr <b>Giving Day - 18 March 2020</b>.</font></span><div><font size="3"><span style="color:rgb(34,34,34)">Help support our ambition</span><span style="color:rgb(34,34,34)"> </span><span style="color:rgb(34,34,34)">to double the number of bursar</span><span style="color:rgb(34,34,34)">ie</span><span style="color:rgb(34,34,34)">s across the Foundation.</span></font><div style="font-size:1.3em;color:rgb(34,34,34)"><br></div><div style="font-size:1.3em;color:rgb(34,34,34)"><a href="http://www.150givingday.abingdon.org.uk" target="_blank"><img src="https://encrypted-tbn0.gstatic.com/images?q=tbn%3AANd9GcTakPiztMQDZGK-aGflYGt-d_XJtEHBjZKXx0sr0TBfaCVGhx8G"></a></div></div>
<br>
<div><br></div><div>Abingdon School: A company limited by guarantee Registered in England and Wales. Company No. 3625063 </div><div> </div><div>Registered Office: </div><div>Abingdon School </div><div>Park Road</div><div>Abingdon </div><div>OX14 1DE </div><div>Registered Charity No. 1071298</div><div> </div><div>All information in this message and attachments is confidential and may be legally privileged. Only intended recipients are authorised to use it. E-mail transmissions are not guaranteed to be secure or error free and the sender does not accept liability for such errors or omissions. The company will not accept any liability in respect of such communication that violates our ICT policies.</div>