.
The error message received when attempting to access myserver.myhost.com via the openssl s_client command indicates that the server does not support legacy renegotiation. The error can be resolved by enabling the UnsafeLegacyRenegotiation option on the server, however it is important to understand the underlying issue to ensure a secure connection.
The command being used to access the server is:
openssl s_client -connect myserver.myhost.com:443
The response received is:
CONNECTED(00000003)
80BBF425D37F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:879:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 3058 bytes and written 336 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1687542368
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
Browser access to myserver.myhost.com does not generate any warnings, suggesting the underlying issue is related to the openssl command.
To resolve the issue, it is necessary to enable the UnsafeLegacyRenegotiation option on the server. However, understanding the underlying issue is important to ensure a secure connection.