I'm trying to build OpenCog from here and when I issue this command
octool -rdcpav -l default
It builds everything but it then gets to the step of installing Link-Grammar and this happens
[octool] Installing Link-Grammar....
--2020-06-13 10:09:36-- http://www.abisource.com/downloads/link-grammar/current/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.abisource.com/downloads/link-grammar/current/ [following]
--2020-06-13 10:09:37-- https://www.abisource.com/downloads/link-grammar/current/
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Unable to establish SSL connection.
I'm on ubuntu 20.04 LTS
www.abisource.com supports only TLS version 1.0, which is now broken (or at least weakened) and way obsolete. According to its headers it is Apache 2.2.15 (Fedora) which dates from 2010!
This therefore appears to be the same problem as OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol except Ubuntu instead of Debian and wget (used by octool) instead of openvpn. Try the accepted anser there: edit /etc/ssl/openssl.cnf under [system_default_sect] to downgrade MinProtocol=TLSv1 and possibly CipherString=DEFAULT:@SECLEVEL=1 -- the server's DHE key is 1k, and I don't recall if that works at level 2, although its cert is absurdly RSA 4k!
UPDATE: Okay, I downloaded and installed Ubuntu 20.04 including source for libssl1.1 and looked at it, and they did NOT keep the Debian approach here, they changed it. Specifically, they didn't change the openssl.cnf file to require TLSv1.2, instead they compiled OpenSSL/libssl to make the default SECLEVEL 2 and to have SECLEVEL 2 force TLSv1.2 (which it doesn't upstream).
However, you can still fix it by adding the desired (weak) configuration to openssl.cnf:
somewhere in the default section, i.e. before the first line beginning with [, add a line
openssl_conf = openssl_configuration
I like putting it at the very top, but that's just me.
technically at any section boundary, but much-easiest at the end, add three new sections:
[openssl_configuration]
ssl_conf = ssl_configuration
[ssl_configuration]
system_default = tls_system_default
[tls_system_default]
CipherString = DEFAULT:@SECLEVEL=1
Note that since MinProtocol wasn't already there you don't need to add it (the code default is okay) but you can if you want.
Now it works:
$ wget https://www.abisource.com/
--2020-06-20 05:11:11-- https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html’
index.html 100%[===================>] 7.51K --.-KB/s in 0.002s
2020-06-20 05:11:12 (3.90 MB/s) - ‘index.html’ saved [7687/7687]
This is, as you commented, a global change. You can change it for this specific operation by editting your copy of octool to add the option --ciphers=DEFAULT:@SECLEVEL=1 to the wget command(s). With the original openssl.cnf:
$ wget --ciphers=DEFAULT:@SECLEVEL=1 https://www.abisource.com/
--2020-06-20 05:15:21-- https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html.1’
index.html.1 100%[===================>] 7.51K --.-KB/s in 0s
2020-06-20 05:15:22 (330 MB/s) - ‘index.html.1’ saved [7687/7687]