KB Article #182365
SSL handshake fails with the error "unsafe legacy renegotiation disabled"
Problem
An SSL handshake fails with an error similar to the following:
ERROR 01/01/22, 00:00:00.000 [SSL alert write 0x228, 0x3]: handshake failure [fatal]. ERROR 01/01/22, 00:00:00.000 [SSL_connect, 0x3]: error - error. ERROR 01/01/22, 00:00:00.000 transient failure connecting to remote: SSL protocol error error:0A000152:SSL routines::unsafe legacy renegotiation disabled, source location: ssl/statem/extensions.c:880
Resolution
Starting in 7.7 May22, we moved to using OpenSSL 3. OpenSSL 3 contains a change to the default settings which requires support for secure renegotiation in a bid to improve security, as explained in the OpenSSL 3 migration guide:
- Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
This "unsafe legacy renegotiation disabled" error happens when connecting to outdated endpoints that do not support RFC 5746 secure renegotiation. Ideally, the endpoints causing these errors should be upgraded for security reasons. That said, we understand that external systems cannot always be controlled. There is a way to still connect to these insecure legacy systems, but it comes with the cost of enabling insecure legacy renegotiation for all endpoints.
If you are okay with that loss of security, you can make the following changes to /apigateway/conf/openssl.cnf to enable insecure renegotiation globally. You will have to restart the gateway after changing this file:
[openssl_init] # Comment out the following line # providers = provider_sect #add the following line ssl_conf = ssl_sect #add the following section [ssl_sect] system_default = system_default_sect #add the following section [system_default_sect] Options = UnsafeLegacyRenegotiation
Update: As of the November 2022 release a checkbox has been added to the Advanced (SSL) tab of Remote Hosts that allows you to enable legacy renegotiation more selectively. It is recommended that you use the checkbox in those releases instead of editing your config globally.