error:0A000152:SSL routines::unsafe legacy renegotiation disabled with Shibboleth SP 3.4
Paul Henson
henson at signet.id
Fri Nov 11 19:22:19 UTC 2022
> From: Nate Klingenstein <ndk at signet.id>
>
> It turns out the odd one that supported secure renegotiation had an
> http:// endpoint configured into the MetadataResolver, so the error
> message is probably accurate in all other cases and misleading only
> with http://. There is a 302 redirect issued by the HTTP listener on
> that server to HTTPS.
The error for that one didn't mention renegotiation:
2022-11-10 15:52:55 ERROR XMLTooling.ParserPool : fatal error on line 0,
column
0, message: unable to read from socket for URL
'http://idp.xxx.edu/idp/shibboleth'
2022-11-10 15:52:55 ERROR OpenSAML.MetadataProvider.XML : error while
loading
resource (http://idp.xxx.edu/idp/shibboleth): XML error(s) during
parsing, check
log for specifics
It's unclear why that is failing now, but something in openssl most
likely is the culprit as that's the only major change? Unless something
else would make it not follow a redirect.
> Still no idea why the configuration option wouldn't have addressed the
> issue, though.
Yah, based on visual code inspection it seems it should. There's no
debug logging in that area though so hard to say what's actually
happening under the hood.
More information about the users
mailing list