error:0A000152:SSL routines::unsafe legacy renegotiation disabled with Shibboleth SP 3.4

Paul Henson henson at
Fri Nov 11 19:22:19 UTC 2022

> From: Nate Klingenstein <ndk at>
> It turns out the odd one that supported secure renegotiation had an
> http:// endpoint configured into the MetadataResolver, so the error
> message is probably accurate in all other cases and misleading only
> with http://.  There is a 302 redirect issued by the HTTP listener on
> that server to HTTPS.

The error for that one didn't mention renegotiation:

2022-11-10 15:52:55 ERROR XMLTooling.ParserPool : fatal error on line 0,
0, message: unable to read from socket for URL                                  
2022-11-10 15:52:55 ERROR OpenSAML.MetadataProvider.XML : error while
resource ( XML error(s) during
parsing, check
log for specifics                                                               

It's unclear why that is failing now, but something in openssl most
likely is the culprit as that's the only major change? Unless something
else would make it not follow a redirect.

> Still no idea why the configuration option wouldn't have addressed the
> issue, though.

Yah, based on visual code inspection it seems it should. There's no
debug logging in that area though so hard to say what's actually
happening under the hood.

More information about the users mailing list