Error: write EPROTO 0006601201000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:880

Matt Caswell matt at openssl.org
Tue Feb 22 10:36:44 UTC 2022


On 21/02/2022 18:24, Brian Pilati wrote:
> Thanks Matt for your response.
> 
> I do understand the issues with the connection. Unfortunately, I still 
> need to connect to the server.
> 
> Where would you set the SSL_OP_LEGACY_SERVER_CONNECT outside of nodejs? 
> Is it in a config file? Can you run something from the command-line?

You can either do this programmatically from the application using 
OpenSSL, or via the OpenSSL config file.

Programmatically you would use either the SSL_CTX_set_options() or 
SSL_set_options() functions described here:

https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html

It is also possible to do this via the OpenSSL config file. A simple 
config file that might achieve this could look something like this:


config_diagnostics = 1

openssl_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
Options = UnsafeLegacyServerConnect


You can read more about the OpenSSL config file in general and its 
format here:

https://www.openssl.org/docs/man3.0/man5/config.html

There is more information on SSL/TLS specific configuration options in 
the "SUPPORTED CONFIGURATION FILE COMMANDS" section on this page:

https://www.openssl.org/docs/man3.0/man3/SSL_CONF_cmd.html

(Note. I just noticed an error on that last page which claims that 
SSL_OP_LEGACY_SERVER_CONNECT is set by default - this is no longer the 
case in 3.0).

Matt

> 
> Brian
> 
> Brian
> 
> 
> On Mon, Feb 21, 2022 at 1:50 AM Matt Caswell <matt at openssl.org 
> <mailto:matt at openssl.org>> wrote:
> 
> 
> 
>     On 18/02/2022 19:53, Brian Pilati wrote:
>      > I am receiving this error
>      >
>      > Error: write EPROTO 0006601201000000:error:0A000152:SSL
>      > routines:final_renegotiate:unsafe legacy renegotiation
>      > disabled:ssl/statem/extensions.c:880
>      >
>      > after upgrading to macOS Monterey v12.2.1
>      >
>      > I am running Nodejs v16.13.2
>      >
>      > Can someone please give me detailed instructions on how to allow
>     unsafe
>      > legacy renegotiation?
> 
> 
>     This error means that you are running as a client attempting to connect
>     to a server that has not been patched against CVE-2009-3555. Connection
>     attempts to servers that do not support secure renegotiation (the
>     mitigation against that CVE) are now aborted by default in OpenSSL 3.0.
> 
>     If the server has not been patched against a CVE issued 13 years ago
>     then it is unlikely to be patched against many other CVEs and you
>     should
>     strongly question whether you really want to connect to such a server.
> 
>     You can read more about this in the "SECURE RENEGOTIATION" section of
>     this page:
> 
>     https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
>     <https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html>
> 
>     If you *really* want to still connect to the server then you can do
>     this
>     by setting the SSL_OP_LEGACY_SERVER_CONNECT option. I am not a Nodejs
>     person, so I don't know how/if this option is exposed in Nodejs.
> 
>     Matt
> 
> 
>      >
>      > I have attempted " process.env.NODE_OPTIONS = '--tls-min-v1.0';"
>     in my
>      > node script.
>      >
>      > Thanks,
>      > Brian
>      >
>      > ****************************
>      > --Brian Pilati
>      > http://www.linkedin.com/in/brianpilati
>     <http://www.linkedin.com/in/brianpilati>
>      > <http://www.linkedin.com/in/brianpilati
>     <http://www.linkedin.com/in/brianpilati>>
>      >
>      > /The information contained in this communication is confidential.
>     This
>      > communication is intended only for the use of the addressee. If
>     you are
>      > not the intended recipient, please notify me promptly and delete the
>      > message. Any distribution or copying of this message without my
>     prior
>      > consent is prohibited./
> 
> 
> 
> -- 
> 
> ****************************
> --Brian Pilati
> http://www.linkedin.com/in/brianpilati 
> <http://www.linkedin.com/in/brianpilati>
> 
> /The information contained in this communication is confidential. This 
> communication is intended only for the use of the addressee. If you are 
> not the intended recipient, please notify me promptly and delete the 
> message. Any distribution or copying of this message without my prior 
> consent is prohibited./


More information about the openssl-users mailing list