Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OpenSSL issue: "unsafe legacy renegotiation disabled"

See original GitHub issue

Expected Behavior

Authenticate to API endpoint.

Timeline

* Preparing request to https://company-sandbox.keylightgrc.com:4443/SecurityService/Login
* Current time is 2022-03-04T04:08:35.352Z
* Using libcurl/7.73.0-DEV OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.9 WinIDN libssh2/1.9.0_DEV nghttp2/1.41.0
* Using default HTTP version
* Disable timeout
* Disable automatic URL encoding
* Disable SSL validation
* Disable cookie sending due to user setting
*   Trying 131.226.194.22:4443...
* Connected to company-sandbox.keylightgrc.com (131.226.194.22) port 4443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: C:\Users\userid\AppData\Local\Temp\insomnia_2021.7.2\ca-certs.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.keylightgrc.com
*  start date: May 31 13:52:12 2021 GMT
*  expire date: Jul  2 13:52:12 2022 GMT
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.

Actual Behavior

Timeline

* Preparing request to https://company-sandbox.keylightgrc.com:4443/SecurityService/Login
* Current time is 2022-03-04T04:18:18.407Z
* Using libcurl/7.79.1-DEV OpenSSL/3.0.0 zlib/1.2.11 brotli/1.0.9 WinIDN libssh2/1.9.0_DEV nghttp2/1.45.1
* Using default HTTP version
* Disable timeout
* Disable automatic URL encoding
* Disable SSL validation
* Disable cookie sending due to user setting
*   Trying 131.226.194.22:4443...
* Connected to company-sandbox.keylightgrc.com (131.226.194.22) port 4443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: C:\Users\userid\AppData\Local\Temp\1\insomnia_2022.1.0\ca-certs.pem
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:0A000152:SSL routines::unsafe legacy renegotiation disabled
* Closing connection 0

Reproduction Steps

No response

Is there an existing issue for this?

I have searched the issue tracker for this problem.

Additional Information

After upgrading to version 2022.1.0 Insomnia fails to connect. If I roll back to Insomnia version 2021.7.2 it works. The problem is most likely in openssl that was update to OpenSSL/3.0.0 in the 2022.1.0 build. None of the preference settings in the client override the new default OpenSSL behavior.

Insomnia Version

2022.1.0

What operating system are you using?

Windows

Operating System Version

Windows 10 Enterprise 19043.1526

Installation method

The original install is in the appdata directory, the upgrade to version 2022.1.0 was automatic

Last Known Working Insomnia version

2021.7.2

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:17 (6 by maintainers)

Top GitHub Comments

27reactions

egarsoncommented, May 14, 2022

Hello, For those of you on Linux, there is a system-level workaround for this problem. Edit /usr/lib/ssl/openssl.cnf and find the line, “providers = providers_sect”. Edit/add the following:


  [openssl_init]
  # providers = provider_sect  # commented out
  
  # added
  ssl_conf = ssl_sect
  
  # added
  [ssl_sect]
  system_default = system_default_sect
  
  # added
  [system_default_sect]
  Options = UnsafeLegacyRenegotiation
  
  # List of providers to load
  [provider_sect]
  default = default_sect

Note that UnsafeLegacyRenegotiation is a workaround, and should not be deployed to a production environment. The solution to the problem is for the “offending” server to implement RFC 5746.

3reactions

ghostcommented, Mar 21, 2022

Resolved by reverting to 2021.7.2

Top Results From Across the Web

SSL error unsafe legacy renegotiation disabled - Stack Overflow

It described how to easily disable SSL verification through /etc/openssl.conf for all applications (and all systems). When done in a regulated ...

Openssl Enable Legacy Renegotiation - awk

If you get this error, your openssl binaries are compiled with legacy renegotiation disabled by default. This disables any non TLS 1.3 libraries ......

SSL routines::unsafe legacy renegotiation disabled

We're getting issues in the build pipeline where OpenSSL3 is failing to connect through the proxy. We get the error unsafe legacy renegotiation...

2077973 – wpa_supplicant fails with OpenSSL "unsafe legacy ...

Description of problem: My company's Wi-Fi network uses PEAP ... NetworkManager, upon receiving the “unsafe legacy renegotiation disabled but PEAP server ...

Curl Panics unsafe legacy renegotiation disabled - General

How did you install the Certificate Authority? If you replaced the system's CA certificate(s) or modified them directly, this may be the issue ......