[TLS] SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED
- Michael Kobert
Issue
I want to start a diagnostic session with TLS but the following SSL error is logged:
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1006)What can I do?
Solution
The ECU does not properly associate renegotiation handshakes with an existing connection (CVE-2009-3555):
The TLS protocol and the SSL protocol 3.0 and possibly earlier, as used in
Microsoft Internet Information Services (IIS) 7.0
mod_ssl in the Apache HTTP Server 2.2.14 and earlier
OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier
Mozilla Network Security Services (NSS) 3.12.4 and earlier
multiple Cisco products and other products
does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Therefore ecu.test aborts the TLS handshake.
If ecu.test shall be forced to ignore unsafe legacy renegotiation, you can use a workaround.
Note: This is directly taken from stack overflow: SSL error unsafe legacy renegotiation disabled
Create a custom openssl.cnf file in any directory with the following content:
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiationBefore running ecu.test, make sure OPENSSL_CONF environment variable is set to your custom openssl.cnf full path like so:
