error:0A000152:SSL routines::unsafe legacy renegotiation disabled with Shibboleth SP 3.4
Paul Henson
henson at signet.id
Fri Nov 11 02:26:05 UTC 2022
On 11/10/2022 6:18 PM, Paul B. Henson wrote:
> XMLMetadataProvider page? Is the documentation on the TransportOption
> page incorrect and it can be used for things other than the soap
> transport
Reviewing xmltooling/util/CurlURLInputStream.cpp, it appears that it
does indeed support the TransportOption parameter, specifically
regarding legacy renegotiation:
DOMElement* child = XMLHelper::getLastChildElement(e,
TransportOption);
while (child) {
if (child->hasChildNodes() &&
XMLString::equals(child->getAttributeNS(nullptr,_provider), _OpenSSL)) {
auto_ptr_char
option(child->getAttributeNS(nullptr,_option));
auto_ptr_char
value(child->getFirstChild()->getNodeValue());
if (option.get() && value.get() &&
!strcmp(option.get(), "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION") &&
(*value.get()=='1' || *value.get()=='t')) {
// If the new option to enable buggy rengotiation
is available, set it.
// Otherwise, signal false if this is newer than
0.9.8k, because that
// means it's 0.9.8l, which blocks renegotiation,
and therefore will
// not honor this request. Older versions are
buggy, so behave as though
// the flag was set anyway, so we signal true.
#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
fOpenSSLOps |=
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
success = true;
#elif (OPENSSL_VERSION_NUMBER > 0x009080bfL)
success = false;
#else
success = true;
#endif
Nate indicated he had tried:
<TransportOption provider="OpenSSL"
option="SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION">1</TransportOption>
which seems like it should have worked, but he says didn't?
--
Signet - The Art of Access
https://www.signet.id/
More information about the users
mailing list