This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

SSL routines::unsafe legacy renegotiation disabled

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

SSL routines::unsafe legacy renegotiation disabled

Go to solution
CraigAddison
L2 Linker

‎11-08-2022 06:39 AM

Hi,

 

We are getting an increasing number of users reporting issues connecting through the Palo Altos when using OpenSSL3. Here is the information I have:

"We've got someone working on moving to Node-18 from 14. We're getting issues in the build pipeline where OpenSSL3 is failing to connect through the proxy. We get the error unsafe legacy renegotiation disabled - google says the proxy box needs to support RFC 5746. Is there any information on the proxy box and who manages it so we can investigate/come up with a workaround?"


And

"We have reproduced this issue while working to build new ADO agent images - Ubuntu 22.04's version of openssl3 also blocks all outbound ssl connections with the same error:
1$ curl https://google.com
2curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled
We obviously do not wish to enable the UnsafeLegacyRenegotiation option."

I see this has also been reporting on the Palo Alto forums at https://live.paloaltonetworks.com/t5/globalprotect-discussions/rfc5746-issue-with-ssl-decryption-ope....

Is there a solution to this issue please?
Thanks,

 

(not sure if this is the right board-please redirect if not-thanks)

4 people had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
CraigAddison
L2 Linker
In response to itadmin777

‎11-16-2022 01:09 AM

Hi,

 

I have had a reply from Palo Alto TAC-

'This is kb article, and I confirmed that PA does not support SSL/TLS Renegotiation.'
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJ0CAO&lang=en_US%E2%80%A...

 

Workaround:
Create Decryption exception for the HTTPS sites that fail due to SSL renegotiation.

View solution in original post

9 REPLIES 9

Go to solution
JayGolf
Community Team Member

‎11-08-2022 04:31 PM

Hi @CraigAddison ,

 

Is SSL Decryption enabled on the firewalls? 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
CraigAddison
L2 Linker
In response to JayGolf

‎11-08-2022 11:58 PM

Hi JayGolf,

 

Yes SSL Decryption is enabled on the firewalls.

0 Likes Likes

Go to solution
CraigAddison
L2 Linker
In response to JayGolf

‎11-10-2022 01:47 AM

Hi JayGolf, 

 

Did you have any follow up to this please?

0 Likes Likes

Go to solution
JayGolf
Community Team Member

‎11-10-2022 11:14 AM

Hi @CraigAddison ,

 

I would recommend reaching out to TAC for this issue as there doesn't appear to be any documentation regarding this. Please share any details you discover with TAC. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
itadmin777
L0 Member

‎11-15-2022 11:07 PM

Hello,

 

does anyone have an idea / updates on this issue ?

 

We are seeing the same Problems when using OS/Tools with openssl 3.x there is no connection via SSL working.

 

Many thanks for keeping this thread alive.

 

Go to solution
CraigAddison
L2 Linker
In response to itadmin777

‎11-16-2022 01:09 AM

Hi,

 

I have had a reply from Palo Alto TAC-

'This is kb article, and I confirmed that PA does not support SSL/TLS Renegotiation.'
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJ0CAO&lang=en_US%E2%80%A...

 

Workaround:
Create Decryption exception for the HTTPS sites that fail due to SSL renegotiation.

Go to solution
jjhernandez
L3 Networker

‎09-25-2023 02:15 PM

This has been fixed in "PAN-184630: Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746)." Target releases:

  • 11.0.2 - ETA July 2023
  • 10.2.5 - ETA  August 2023
  • 10.1.11 - ETA - September 2023
  • 9.1.17 - ETA October 2023

 

See: https://live.paloaltonetworks.com/t5/globalprotect-discussions/rfc5746-issue-with-ssl-decryption-ope...

Go to solution
jjhernandez
L3 Networker
In response to jjhernandez

‎10-12-2023 09:23 AM

UPDATE: Per case 02716405, Prisma Access has PAN-184630 integrated into 4.0.0-Preferred dataplane version 10.2.4-ch171. 

 

Will be testing this at the end of this week.

0 Likes Likes

Go to solution
jjhernandez
L3 Networker
In response to jjhernandez

‎10-19-2023 01:56 PM

UPDATE: Testing of PAN-184630 was successful with Prisma Access 4.0.0-Preferred dataplane version 10.2.4-ch171. Having the rest of our gateways upgraded in next available change window.

0 Likes Likes
  • 1 accepted solution
  • 56613 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks