topic Re: SSL routines::unsafe legacy renegotiation disabled in General Topics

SSL routines::unsafe legacy renegotiation disabled

CraigAddison — Tue, 08 Nov 2022 14:39:32 GMT

Hi,

We are getting an increasing number of users reporting issues connecting through the Palo Altos when using OpenSSL3. Here is the information I have:

"We've got someone working on moving to Node-18 from 14. We're getting issues in the build pipeline where OpenSSL3 is failing to connect through the proxy. We get the error unsafe legacy renegotiation disabled - google says the proxy box needs to support RFC 5746. Is there any information on the proxy box and who manages it so we can investigate/come up with a workaround?"

And

"We have reproduced this issue while working to build new ADO agent images - Ubuntu 22.04's version of openssl3 also blocks all outbound ssl connections with the same error:
1$ curl https://google.com
2curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled
We obviously do not wish to enable the UnsafeLegacyRenegotiation option."

I see this has also been reporting on the Palo Alto forums at https://live.paloaltonetworks.com/t5/globalprotect-discussions/rfc5746-issue-with-ssl-decryption-openssl3-0-unsafe-legacy/td-p/511171.

Is there a solution to this issue please?
Thanks,

(not sure if this is the right board-please redirect if not-thanks)

Re: SSL routines::unsafe legacy renegotiation disabled

JayGolf — Wed, 09 Nov 2022 00:31:51 GMT

Hi @CraigAddison ,

Is SSL Decryption enabled on the firewalls?

Re: SSL routines::unsafe legacy renegotiation disabled

CraigAddison — Wed, 09 Nov 2022 07:58:14 GMT

Hi JayGolf,

Yes SSL Decryption is enabled on the firewalls.

Re: SSL routines::unsafe legacy renegotiation disabled

CraigAddison — Thu, 10 Nov 2022 09:47:52 GMT

Hi JayGolf,

Did you have any follow up to this please?

Re: SSL routines::unsafe legacy renegotiation disabled

JayGolf — Thu, 10 Nov 2022 19:14:51 GMT

Hi @CraigAddison ,

I would recommend reaching out to TAC for this issue as there doesn't appear to be any documentation regarding this. Please share any details you discover with TAC.

Re: SSL routines::unsafe legacy renegotiation disabled

itadmin777 — Wed, 16 Nov 2022 07:07:48 GMT

Hello,

does anyone have an idea / updates on this issue ?

We are seeing the same Problems when using OS/Tools with openssl 3.x there is no connection via SSL working.

Many thanks for keeping this thread alive.

Re: SSL routines::unsafe legacy renegotiation disabled

CraigAddison — Wed, 16 Nov 2022 09:09:58 GMT

Hi,

I have had a reply from Palo Alto TAC-

'This is kb article, and I confirmed that PA does not support SSL/TLS Renegotiation.'
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJ0CAO&lang=en_US%E2%80%A9

Workaround:
Create Decryption exception for the HTTPS sites that fail due to SSL renegotiation.

Re: SSL routines::unsafe legacy renegotiation disabled

jjhernandez — Mon, 25 Sep 2023 21:15:52 GMT

This has been fixed in "PAN-184630: Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746)." Target releases:

11.0.2 - ETA July 2023
10.2.5 - ETA August 2023
10.1.11 - ETA - September 2023
9.1.17 - ETA October 2023

See: https://live.paloaltonetworks.com/t5/globalprotect-discussions/rfc5746-issue-with-ssl-decryption-openssl3-0-unsafe-legacy/m-p/549471#M4212

Re: SSL routines::unsafe legacy renegotiation disabled

jjhernandez — Thu, 12 Oct 2023 16:23:42 GMT

UPDATE: Per case 02716405, Prisma Access has PAN-184630 integrated into 4.0.0-Preferred dataplane version 10.2.4-ch171.

Will be testing this at the end of this week.

Re: SSL routines::unsafe legacy renegotiation disabled

jjhernandez — Thu, 19 Oct 2023 20:56:13 GMT

UPDATE: Testing of PAN-184630 was successful with Prisma Access 4.0.0-Preferred dataplane version 10.2.4-ch171. Having the rest of our gateways upgraded in next available change window.