Login/Register
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled
Asked Answered
sslcurlvpnwindows-subsystem-for-linux
P

3

23

Commands like curl and wget give the following error:curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled. I am using WSL2 Ubuntu and on a corporate firewall. I did export my trusted root ca cert to WSL and updated certificates. However, still facing the issue when downloading tools like Jenkins, Terraform, etc. For example when trying to get Jenkins.

curl -fsSL http://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee   /usr/share/keyrings/jen
kins-keyring.asc > /dev/null
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled

I am on a corporate VPN. without VPN commands work fine however with VPN on the corporate network I get these errors. If I do SSL bypass with the fw team it works. Not sure if anything else is wrong here.

sudo vim /etc/ssl/openssl.cnf 

`#
# OpenSSL example configuration file.
# See doc/man5/config.pod for more info.
#
# This is mostly being used for generation of certificate requests,
# but may be used for auto loading of providers

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .

 # Use this in order to automatically load providers.
openssl_conf = openssl_init

# Comment out the next line to ignore configuration errors
config_diagnostics = 1

# Extra OBJECT IDENTIFIER info:
# oid_file       = $ENV::HOME/.oid
oid_section = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
"/etc/ssl/openssl.cnf" 397L, 12419B            `
Pulliam answered 17/3, 2023 at 3:31 Comment(2)
I'm having a similar error when using OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022). And I'm not behind any corporate proxy. A friend is using OpenSSL 1.1.1f 31 Mar 2020 and things work just fine. Could be an issue with openSSL version?Tejada
I faced the same error message when tried to run the command curl https://publicinfobanjir.water.gov.my/hujan/data-hujan/?state=PLS&lang=en, I resolved it by replacing https with http, and the issue was resolved. This solution might be helpful for some people.Jarad
G
36

This error is caused by the remote server not supporting RFC5746 secure renegotiation (or your corporate firewall not supporting it). In OpenSSL 1.1.1 the flag SSL_OP_LEGACY_SERVER_CONNECT was set, but this is not the case in OpenSSL 3, from the migration guide:

Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.

It is possible to turn this flag on again by setting it in your OpenSSL conf, it is an option called UnsafeLegacyServerConnect:

UnsafeLegacyServerConnect: permits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to SSL_OP_LEGACY_SERVER_CONNECT.

Source: https://www.openssl.org/docs/man3.0/man3/SSL_CONF_cmd.html

A minimal OpenSSL config with this setting:

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyServerConnect

You could also just add Options = UnsafeLegacyServerConnect to the existing /etc/ssl/openssl.cnf under [system_default_sect].

NB. In OpenSSL < 3.0.4 there was a bug that ignored the UnsafeLegacyServerConnect option. If you are stuck with <= 3.0.3, you could use (the more unsafe) UnsafeLegacyRenegotiation instead.

Also, if adding these settings don't work, it may be that openssl's executable comes from a different place, for example if you are using brew, you may have to change the config file in a separate path.

Goodfellowship answered 14/4, 2023 at 6:25 Comment(6)
Thanks a lot! I encountered this while trying to download from a server probably with some certificate problem (no VPN involved). Running wget with the option "--no-check-certificate" was OK but running curl with options "-k" or "--insecure" didn't work until adding the above block to "/etc/ssl/openssl.cnf". But does this make my system less secure? Isn't it possible to achieve this only for a specific domain?Nippers
And with a recent update to openssl 3.0.10-1 (debian testing), adding this option makes no difference now. Perhaps they decided to prohibit such insecure connections totally?Nippers
Check your openssl version with this command: openssl version :-)Sorensen
Just encountered the problem when updating PHP from 8.1 to 8.2. So thanks to you !Otherwhere
I still see the errno ERR_SSL_UNSAFE_LEGACY_RENEGOTIATION_DISABLED with openssl version OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023) with node v20.11.1 and npm 10.4.0 on Alpine Linux v3.19Nevile
Never mind. it does work also with latest node and npm as I have testedNevile
A
17

If you don't want to make permanent changes to your system you can try running the configuration in memory like this:

OPENSSL_CONF=<(cat /etc/ssl/openssl.cnf ; echo Options = UnsafeLegacyRenegotiation) curl https://something.com/

In an expanded form:

OPENSSL_CONF=<(
   cat /etc/ssl/openssl.cnf
   echo Options = UnsafeLegacyRenegotiation
) curl https://something.com/

Let me explain what it does.

This part will temporarily set an environment variable for the following command. Most programs linked with SSL libraries will recognize this variable and use the configuration file indicated:

OPENSSL_CONF="value" command

By the way, I tried with OPENSSL_CONF_INCLUDE variable, but that one didn't work.

But instead of using a real file, I use this bash construct <( ... ), that creates a temporary virtual file, whose contents are the output of the inner command:

OPENSSL_CONF=<( ... )

The inner part just prints current openssl.cnf file, followed by the configuration line required:

cat /etc/ssl/openssl.cnf ; echo Options = UnsafeLegacyRenegotiation

So to sum up, we run curl with a configuration that adds the line that we required.

It works for me in WSL's Ubuntu.

Edit: As the comments suggested, to make it work in Debian we have to add more lines. It could go like this:

OPENSSL_CONF=<(
   echo -e 'openssl_conf = openssl_init\n\n[openssl_init]\nssl_conf = ssl_sect\n\n[ssl_sect]'
   echo -e 'system_default = system_default_sect\n\n[system_default_sect]\nOptions = UnsafeLegacyRenegotiation\n'
   cat /etc/ssl/openssl.cnf
)  curl  https://something.com/
Alunite answered 12/8, 2023 at 18:35 Comment(4)
I think this is a better solution to use only when necessary, but unfortunately, after a recent update to openssl 3.0.10-1 (debian testing), this option makes no difference now. It seems they've decided to prohibit such insecure connections totally?Nippers
Confirmed it works with Ubuntu 22.04.Gloze
The conf file needs more than a single line. See this answerMillennial
Not working. After updating the vim /etc/ssl/openssl.cnf Added this line at last [openssl_init] # Comment out the following line # providers = provider_sect #add the following line ssl_conf = ssl_sect #add the following section [ssl_sect] system_default = system_default_sect #add the following section [system_default_sect] Options = UnsafeLegacyRenegotiation #Options = UnsafeLegacyServerConnect in ubuntu 22.04Signora
H
0

If this is occuring while you trying to push to your git

I used this fix... you will have to run the command as Admin

git config --system http.sslbackend schannel
Harpsichord answered 5/8, 2024 at 8:28 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.