Openssl Enable Legacy Renegotiation

If you see an error specifying something similar to “unsafe legacy renegotiation disabled” when attempting a secure TSL/SSL connection. I have the solution for you. I decided to write this post because searching the Internet did not find any solutions, so I had to roll my sleeves up, and use the old school approach. To actually understand and troubleshoot the problem.

If you get this error, your openssl binaries are compiled with legacy renegotiation disabled by default. This disables any non TLS 1.3 libraries and certificates renegotiation to a lower standard. I received this error when using Ubuntu 22.04. You may receive this error only on newer Linux distribution.

In order to get around this problem, while the rest of the world goes to TLS 1.3, simply follow the steps below to update the file /etc/ssl/openssl.cnf. The location of the file might be different in your system. Should you have issues finding the file, open a terminal window and type the command “openssl version -a“. This command lists the version and the directory used by openssl, in there, in the etc folder, you will find the file openssl.cnf.

Now use the editor of your choice to modify the file, you will probably need to edit as root via logging in as root, or issuing the sudo command.

At the very beginning of the file, insert the following config:

openssl_conf = openssl_init

At the end of the file, insert the following config:

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1
Options = UnsafeLegacyRenegotiation

And the error should be gone. Enjoy and type away!

Leave a Reply