Ddclient for macOS TLS 1.2 error

#1

Hi,

I have been trying to use ddclient on my Mac Mini to auto-update my DNS settings, however I am having some issues with TLS support, whenever I try to force an update with debug mode on, I get the following error:

RECEIVE:  {"success":false,"errors":[{"yourTlsVersion":"TLSv1", "message":"Cloudflare does not support deprecated TLS versions for security reasons. Please upgrade your client to TLS 1.2 or greater. See https://blog.cloudflare.com/deprecating-old-tls-versions-on-cloudflare-dashboard-and-api/ for more details."}]}

I have been running ddclient on another Mac with no issues, so the code should not need updating, the only difference I can see is that one Mac is running Sierra and the other Mojave, unfortunately I am unable to update the Mac Mini beyond Sierra, however I cannot see this being a problem.

Does anyone else have experience with this issue who would be able to help me out here?

Thanks.

0 Likes

#2

I’m no perl expert, but it looks like it simply creates an SSL (TLS) connection, and doesn’t specify which version to use. I’m guessing it uses whatever Perl was built with.

Can you try running with --verbose, and getting the output of perl -V?

0 Likes

#3

I had actually dug into the code a little myself and found the same thing, I have no experience with perl myself, that’s why I opted to ask here and see if anyone had already attempted to fix it.

perl -V gives this:

Summary of my perl5 (revision 5 version 18 subversion 2) configuration:
   
  Platform:
    osname=darwin, osvers=16.0, archname=darwin-thread-multi-2level
    uname='darwin osx232.apple.com 16.0 darwin kernel version 15.0.0: wed jun 22 17:57:08 pdt 2016; root:xnu-3247.1.106.2.9~1development_x86_64 x86_64 '
    config_args='-ds -e -Dprefix=/usr -Dccflags=-g  -pipe  -Dldflags= -Dman3ext=3pm -Duseithreads -Duseshrplib -Dinc_version_list=none -Dcc=cc'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-arch x86_64 -arch i386 -g -pipe -fno-common -DPERL_DARWIN -fno-strict-aliasing -fstack-protector',
    optimize='-Os',
    cppflags='-g -pipe -fno-common -DPERL_DARWIN -fno-strict-aliasing -fstack-protector'
    ccversion='', gccversion='4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc -mmacosx-version-min=10.12.6', ldflags ='-arch x86_64 -arch i386 -fstack-protector'
    libpth=/usr/lib /usr/local/lib
    libs= 
    perllibs=
    libc=, so=dylib, useshrplib=true, libperl=libperl.dylib
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' '
    cccdlflags=' ', lddlflags='-arch x86_64 -arch i386 -bundle -undefined dynamic_lookup -fstack-protector'


Characteristics of this binary (from libperl): 
  Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS
                        PERL_DONT_CREATE_GVSV
                        PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
                        PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP
                        PERL_PRESERVE_IVUV PERL_SAWAMPERSAND USE_64_BIT_ALL
                        USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
                        USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
                        USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
                        USE_REENTRANT_API
  Locally applied patches:
	/Library/Perl/Updates/<version> comes before system perl directories
	installprivlib and installarchlib points to the Updates directory
  Built under darwin
  Compiled at Oct 11 2017 18:31:40
  @INC:
    /Library/Perl/5.18/darwin-thread-multi-2level
    /Library/Perl/5.18
    /Network/Library/Perl/5.18/darwin-thread-multi-2level
    /Network/Library/Perl/5.18
    /Library/Perl/Updates/5.18.2
    /System/Library/Perl/5.18/darwin-thread-multi-2level
    /System/Library/Perl/5.18
    /System/Library/Perl/Extras/5.18/darwin-thread-multi-2level
    /System/Library/Perl/Extras/5.18
    .

And looking at the ddclient launch script this is what it calls this:

#!/bin/bash
PERL5LIB="/usr/local/Cellar/ddclient/3.9.0/libexec/lib/perl5" exec "/usr/local/Cellar/ddclient/3.9.0/libexec/sbin/ddclient" "[email protected]"

Which I guess is adding a few more libraries.

As for the verbose output:

INFO:     setting IP address to 1.2.3.4 for yy.xx.com
UPDATE:   updating yy.xx.com
CONNECT:  api.cloudflare.com
CONNECTED:  using SSL
SENDING:  GET /client/v4/zones?name=xx.com HTTP/1.0
SENDING:   Host: api.cloudflare.com
SENDING:   User-Agent: ddclient/3.9.0
SENDING:   Connection: close
SENDING:   X-Auth-Email: xx
SENDING:   X-Auth-Key: xx
SENDING:   Content-Type: application/json
SENDING:   
RECEIVE:  HTTP/1.1 426 Upgrade Required
RECEIVE:  Date: Sat, 27 Oct 2018 17:24:28 GMT
RECEIVE:  Content-Type: application/json
RECEIVE:  Content-Length: 304
RECEIVE:  Connection: close
RECEIVE:  Set-Cookie: __cfduid=notsureifthiswassensitivedata; expires=Sun, 27-Oct-19 17:24:28 GMT; path=/; domain=.cloudflare.com; HttpOnly
RECEIVE:  X-Upgrade: TLS/1.2
RECEIVE:  Strict-Transport-Security: max-age=15780000; includeSubDomains
RECEIVE:  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
RECEIVE:  Server: cloudflare
RECEIVE:  CF-RAY: aabbccdd
RECEIVE:  
RECEIVE:  {"success":false,"errors":[{"yourTlsVersion":"TLSv1", "message":"Cloudflare does not support deprecated TLS versions for security reasons. Please upgrade your client to TLS 1.2 or greater. See https://blog.cloudflare.com/deprecating-old-tls-versions-on-cloudflare-dashboard-and-api/ for more details."}]}

I did look into forcing the Perl IO::Socket::SSL to run in TLS 1.2 mode but was a little confused, the info is here under, SSL_version:

https://metacpan.org/pod/IO::Socket::SSL

1 Like

#4

So for a quick update:

I tried to force TSL 1.2 but it threw an error, it looks like openssl on Sierra doesn’t support TLS 1.2 which is why ddclient wasn’t using it by default

It looks like will need to try make some upgrades to openssl on the Mac Mini and see where I end up

0 Likes

#5

On El Capitan, I managed to make it work after installing/upgrading a couple of perl modules:
sudo cpan install Net::SSLeay
sudo cpan install IO::Socket::SSL

0 Likes