Error: write EPROTO 0006601201000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:880

Matt Caswell matt at openssl.org
Mon Feb 21 08:50:16 UTC 2022



On 18/02/2022 19:53, Brian Pilati wrote:
> I am receiving this error
> 
> Error: write EPROTO 0006601201000000:error:0A000152:SSL 
> routines:final_renegotiate:unsafe legacy renegotiation 
> disabled:ssl/statem/extensions.c:880
> 
> after upgrading to macOS Monterey v12.2.1
> 
> I am running Nodejs v16.13.2
> 
> Can someone please give me detailed instructions on how to allow unsafe 
> legacy renegotiation?


This error means that you are running as a client attempting to connect 
to a server that has not been patched against CVE-2009-3555. Connection 
attempts to servers that do not support secure renegotiation (the 
mitigation against that CVE) are now aborted by default in OpenSSL 3.0.

If the server has not been patched against a CVE issued 13 years ago 
then it is unlikely to be patched against many other CVEs and you should 
strongly question whether you really want to connect to such a server.

You can read more about this in the "SECURE RENEGOTIATION" section of 
this page:

https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html

If you *really* want to still connect to the server then you can do this 
by setting the SSL_OP_LEGACY_SERVER_CONNECT option. I am not a Nodejs 
person, so I don't know how/if this option is exposed in Nodejs.

Matt


> 
> I have attempted " process.env.NODE_OPTIONS = '--tls-min-v1.0';" in my 
> node script.
> 
> Thanks,
> Brian
> 
> ****************************
> --Brian Pilati
> http://www.linkedin.com/in/brianpilati 
> <http://www.linkedin.com/in/brianpilati>
> 
> /The information contained in this communication is confidential. This 
> communication is intended only for the use of the addressee. If you are 
> not the intended recipient, please notify me promptly and delete the 
> message. Any distribution or copying of this message without my prior 
> consent is prohibited./


More information about the openssl-users mailing list