error:0A000152:SSL routines::unsafe legacy renegotiation disabled with Shibboleth SP 3.4]
Paul Henson
henson at signet.id
Fri Nov 11 02:05:05 UTC 2022
> Date: Thu, 10 Nov 2022 23:54:25 +0000 From: Nate Klingenstein
> <ndk at signet.id>
>
> A working installation of 3.3 on Windows 2019 that was upgraded to
> 3.4 is suddenly experiencing failure to connect to 4 hosts that are
> providing their metadata through URL-based resolution. No
> configuration nor environmental changes occurred other than the
> upgrade of the SP. Upon startup:
SP 3.3 under Windows is compiled against openssl 3.0.0, 3.4 is compiled
against 3.0.7.
In openssl 3.0.2 they updated the default configuration setting for
UnsafeLegacyServerConnect, which controls whether or not a client is
able to connect to a server using unsafe legacy renegotiation, from true
to false.
Previously the SP was transparently connecting to crappy servers, now
the openSSL community has decided it's past time to stop catering to
people that don't keep their stuff up-to-date :), so any application
that does not specifically at its own configuration level enable legacy
renegotiation no longer connects.
In order for the SP to continue working with these servers that do not
have secure renegotiation support, it will need to set the appropriate
libcurl option directly to enable it.
The SP has the TransportOption configuration option intended to allow
the passing of low level SSL options to the underlying libraries
including libcurl, but it is documented as to only apply to the SOAP
transport implementation class? Although there is a link to it from the
XMLMetadataProvider page? Is the documentation on the TransportOption
page incorrect and it can be used for things other than the soap
transport, or is the documentation on the XMLMetadataProvider incorrect
in implying it can be used there?
--
Signet - The Art of Access
https://www.signet.id/
More information about the users
mailing list