On 21/02/2022 18:24, Brian Pilati wrote:
Thanks Matt for your response.
I do understand the issues with the connection. Unfortunately, I still
need to connect to the server.
Where would you set the SSL_OP_LEGACY_SERVER_CONNECT outside of nodejs?
Is it in a config file? Can you run something from the command-line?
You can either do this programmatically from the application using
OpenSSL, or via the OpenSSL config file.
Programmatically you would use either the SSL_CTX_set_options() or
SSL_set_options() functions described here:
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
It is also possible to do this via the OpenSSL config file. A simple
config file that might achieve this could look something like this:
config_diagnostics = 1
openssl_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
Options = UnsafeLegacyServerConnect
You can read more about the OpenSSL config file in general and its
format here:
https://www.openssl.org/docs/man3.0/man5/config.html
There is more information on SSL/TLS specific configuration options in
the "SUPPORTED CONFIGURATION FILE COMMANDS" section on this page:
https://www.openssl.org/docs/man3.0/man3/SSL_CONF_cmd.html
(Note. I just noticed an error on that last page which claims that
SSL_OP_LEGACY_SERVER_CONNECT is set by default - this is no longer the
case in 3.0).
Matt
Brian
Brian
On Mon, Feb 21, 2022 at 1:50 AM Matt Caswell <matt@xxxxxxxxxxx
<mailto:matt@xxxxxxxxxxx>> wrote:
On 18/02/2022 19:53, Brian Pilati wrote:
> I am receiving this error
>
> Error: write EPROTO 0006601201000000:error:0A000152:SSL
> routines:final_renegotiate:unsafe legacy renegotiation
> disabled:ssl/statem/extensions.c:880
>
> after upgrading to macOS Monterey v12.2.1
>
> I am running Nodejs v16.13.2
>
> Can someone please give me detailed instructions on how to allow
unsafe
> legacy renegotiation?
This error means that you are running as a client attempting to connect
to a server that has not been patched against CVE-2009-3555. Connection
attempts to servers that do not support secure renegotiation (the
mitigation against that CVE) are now aborted by default in OpenSSL 3.0.
If the server has not been patched against a CVE issued 13 years ago
then it is unlikely to be patched against many other CVEs and you
should
strongly question whether you really want to connect to such a server.
You can read more about this in the "SECURE RENEGOTIATION" section of
this page:
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
<https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html>
If you *really* want to still connect to the server then you can do
this
by setting the SSL_OP_LEGACY_SERVER_CONNECT option. I am not a Nodejs
person, so I don't know how/if this option is exposed in Nodejs.
Matt
>
> I have attempted " process.env.NODE_OPTIONS = '--tls-min-v1.0';"
in my
> node script.
>
> Thanks,
> Brian
>
> ****************************
> --Brian Pilati
> http://www.linkedin.com/in/brianpilati
<http://www.linkedin.com/in/brianpilati>
> <http://www.linkedin.com/in/brianpilati
<http://www.linkedin.com/in/brianpilati>>
>
> /The information contained in this communication is confidential.
This
> communication is intended only for the use of the addressee. If
you are
> not the intended recipient, please notify me promptly and delete the
> message. Any distribution or copying of this message without my
prior
> consent is prohibited./
--
****************************
--Brian Pilati
http://www.linkedin.com/in/brianpilati
<http://www.linkedin.com/in/brianpilati>
/The information contained in this communication is confidential. This
communication is intended only for the use of the addressee. If you are
not the intended recipient, please notify me promptly and delete the
message. Any distribution or copying of this message without my prior
consent is prohibited./
