error:0A000152:SSL routines::unsafe legacy renegotiation disabled with Shibboleth SP 3.4]

Paul Henson henson at
Fri Nov 11 02:05:05 UTC 2022

> Date: Thu, 10 Nov 2022 23:54:25 +0000 From: Nate Klingenstein
> <ndk at>
> A working installation of 3.3 on Windows 2019 that was upgraded to
> 3.4 is suddenly experiencing failure to connect to 4 hosts that are
> providing their metadata through URL-based resolution.  No
> configuration nor environmental changes occurred other than the
> upgrade of the SP.  Upon startup:

SP 3.3 under Windows is compiled against openssl 3.0.0, 3.4 is compiled 
against 3.0.7.

In openssl 3.0.2 they updated the default configuration setting for 
UnsafeLegacyServerConnect, which controls whether or not a client is 
able to connect to a server using unsafe legacy renegotiation, from true 
to false.

Previously the SP was transparently connecting to crappy servers, now 
the openSSL community has decided it's past time to stop catering to 
people that don't keep their stuff up-to-date :), so any application 
that does not specifically at its own configuration level enable legacy 
renegotiation no longer connects.

In order for the SP to continue working with these servers that do not 
have secure renegotiation support, it will need to set the appropriate 
libcurl option directly to enable it.

The SP has the TransportOption configuration option intended to allow 
the passing of low level SSL options to the underlying libraries 
including libcurl, but it is documented as to only apply to the SOAP 
transport implementation class? Although there is a link to it from the 
XMLMetadataProvider page? Is the documentation on the TransportOption 
page incorrect and it can be used for things other than the soap 
transport, or is the documentation on the XMLMetadataProvider incorrect 
in implying it can be used there?

Signet - The Art of Access

More information about the users mailing list