Used CURL error:0A000152:SSL routines::unsafe legacy renegotiation disabled"

mt800

When I used CURL in PHP, I encountered the following error.
"OpenSSL/3.0.13: error:0A000152:SSL routines::unsafe legacy renegotiation disabled"

I tried many methods, but none of them worked.

For example:
-- Setting CURL parameters in PHP
CURLOPT_SSL_OPTIONS => CURLSSLOPT_ALLOW_BEAST | CURLSSLOPT_NO_REVOKE

-- Setting OPENSSL_CONF in PHP
putenv("OPENSSL_CONF=/usr/home/{USER}/domains/{DOMAIN}/public_html/openssl.cnf");

--- OpenSSL.cnf file content

[system_default_sect]
Options = UnsafeLegacyServerConnect

Also tried
[system_default_sect]
[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=2
#Options = UnsafeLegacyRenegotiation
Options = UnsafeLegacyServerConnect

Also tried
nodejs_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

None of them worked. How can I solve this problem?

admin

Report the indicated error to the software provider you are trying to launch.

mt800

It may be a version problem. There is no problem in version 1.x, but there is a problem in version 3.0.x. I tested 3.3.1.x in the local environment and there is no problem.

admin

mt800 Can you share the example code to reproduce the problem?

mt800

Thank you for your reply!
I tested openssl on windows platform.

<?php
$url = 'https://bufftoon.plaync.com/';

$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_SSL_ENABLE_ALPN => true,
CURLOPT_SSL_ENABLE_NPN => true,
CURLOPT_SSL_OPTIONS => CURLSSLOPT_ALLOW_BEAST | CURLSSLOPT_NO_REVOKE,
]);
$response = curl_exec($ch);

if ($response === false) {
$error = curl_error($ch);
echo "cURL Error: " . $error;
} else {
// header('Content-Type: application/json');
echo $response;
}
curl_close($ch);
?>

Error message: cURL Error: OpenSSL/3.0.13: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

admin

mt800 Thank for the example.

I can confirm that curl/openssl has by default disabled unsafe legacy renegotiation

$ curl -I "https://bufftoon.plaync.com"
curl: (35) OpenSSL/3.0.13: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

The workaround for now is to create own openssl.cnf:

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyServerConnect

Using the new OpenSSL config with curl fix the issue:

$ OPENSSL_CONF=~/openssl.cnf curl -I "https://bufftoon.plaync.com"
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 12
ETag: W/"c-QETVAhUYmmve97quvZif9EL6tqM"
Date: Sun, 07 Jul 2024 13:51:01 GMT
Connection: keep-alive
Keep-Alive: timeout=5

You can apply similar solution to your PHP code.

mt800

Thank you for your reply!
How do I do this using PHP code?Thanks for knowing!

puzzle9

mt800

https://serverfault.com/a/1142055/477852