error:0A000152:SSL routines::unsafe legacy renegotiation disabled with Shibboleth SP 3.4

Paul Henson henson at
Fri Nov 11 02:26:05 UTC 2022

On 11/10/2022 6:18 PM, Paul B. Henson wrote:

> XMLMetadataProvider page? Is the documentation on the TransportOption
> page incorrect and it can be used for things other than the soap
> transport
Reviewing xmltooling/util/CurlURLInputStream.cpp, it appears that it 
does indeed support the TransportOption parameter, specifically 
regarding legacy renegotiation:

         DOMElement* child = XMLHelper::getLastChildElement(e, 
         while (child) {
             if (child->hasChildNodes() && 
XMLString::equals(child->getAttributeNS(nullptr,_provider), _OpenSSL)) {
                 if (option.get() && value.get() && 
                     (*value.get()=='1' || *value.get()=='t')) {
                     // If the new option to enable buggy rengotiation 
is available, set it.
                     // Otherwise, signal false if this is newer than 
0.9.8k, because that
                     // means it's 0.9.8l, which blocks renegotiation, 
and therefore will
                     // not honor this request. Older versions are 
buggy, so behave as though
                     // the flag was set anyway, so we signal true.
                     fOpenSSLOps |= 
                     success = true;
#elif (OPENSSL_VERSION_NUMBER > 0x009080bfL)
                     success = false;
                     success = true;

Nate indicated he had tried:

<TransportOption provider="OpenSSL" 

which seems like it should have worked, but he says didn't?

Signet - The Art of Access

More information about the users mailing list