11-08-2022 06:39 AM
We are getting an increasing number of users reporting issues connecting through the Palo Altos when using OpenSSL3. Here is the information I have:
"We've got someone working on moving to Node-18 from 14. We're getting issues in the build pipeline where OpenSSL3 is failing to connect through the proxy. We get the error unsafe legacy renegotiation disabled - google says the proxy box needs to support RFC 5746. Is there any information on the proxy box and who manages it so we can investigate/come up with a workaround?"
"We have reproduced this issue while working to build new ADO agent images - Ubuntu 22.04's version of openssl3 also blocks all outbound ssl connections with the same error:
1$ curl https://google.com
2curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled
We obviously do not wish to enable the UnsafeLegacyRenegotiation option."
I see this has also been reporting on the Palo Alto forums at https://live.paloaltonetworks.com/t5/globalprotect-discussions/rfc5746-issue-with-ssl-decryption-ope....
Is there a solution to this issue please?
(not sure if this is the right board-please redirect if not-thanks)
11-16-2022 01:09 AM
I have had a reply from Palo Alto TAC-
'This is kb article, and I confirmed that PA does not support SSL/TLS Renegotiation.'
Create Decryption exception for the HTTPS sites that fail due to SSL renegotiation.
11-08-2022 04:31 PM
Hi @CraigAddison ,
Is SSL Decryption enabled on the firewalls?
11-08-2022 11:58 PM
Yes SSL Decryption is enabled on the firewalls.
11-10-2022 01:47 AM
Did you have any follow up to this please?
11-10-2022 11:14 AM
Hi @CraigAddison ,
I would recommend reaching out to TAC for this issue as there doesn't appear to be any documentation regarding this. Please share any details you discover with TAC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!