Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

[RFC5746] issue with ssl decryption: openssl3.0 unsafe legacy renegotiation disabled

L0 Member

Since I upgraded to the lastest fedora, all of my python/ansible script failed when they are decrypted by our palo alto ssl outbound policy.


After some diging, fedora 35 was using openssl 1.1.1 and fedora 36 switched to openssl 3.0:


On the openssl 3.0 changelog, we can find this:

OPENSSL changelog between 1.1.1 and 3.0.0 [7 sep 2021] contains:

* Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed.


I found a post on a stackoverflow that explain how to reenable unsecure renegociation to have a quick fix. This won't be a good solution when all our devs will be using linux and dockers with openssl 3.0 installed.


Is there a way to configure ssl decryption on the palo alto to enable secure renegociation ?


Who rated this post