RFC 5746 - OpenSSL 3.0.0 SSL/TLS handshake fails with error: unsafe legacy renegotiation disabled

RFC 5746 - OpenSSL 3.0.0 SSL/TLS handshake fails with error: unsafe legacy renegotiation disabled

3724
Created On 05/11/23 07:24 AM - Last Modified 05/23/25 02:18 AM


Symptom


  • Client supporting RFC 5746 using OpenSSL 3.0.0 for SSL/TLS handshake.
  • The connection fails with the error: "unsafe legacy renegotiation disabled"

Environment


  • Palo Alto Firewall
  • PAN-OS below 9.1.17, 10.1.11, 10.2.5 and 11.0.2
  • SSL/TLS Decryption enabled.
  • SSL/TLS Client supports RFC 5746 is using OpenSSL 3.0.0.

Cause


Support for RFC 5746 is introduced in PanOS 9.1.17, 10.1.11, 10.2.5, and 11.0.2.

Resolution


  1. The issue is fixed under PAN-184630 in 9.1.17, 10.1.11, 10.2.5, and 11.0.2.
  2. Upgrade to one of the above PanOS versions where support for RFC 5746 starts.
Note:  Current release version can be found here

Additional Information


A possible workaround is to disable OpenSSL 3.0.0 on the client side.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHrKCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail