So, all of a sudden, one of our servers, while trying to connect to another, started giving this cryptic error –
OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 unsafe legacy renegotiation disabled
These kind of errors are usually dependent on some system updates. But the error seemed to be coming from the target server. After a bit of searching around, this article gave the most understandable information.
From that article –
This “unsafe legacy renegotiation disabled” error happens when connecting to outdated endpoints that do not support RFC 5746 secure renegotiation. Ideally, the endpoints causing these errors should be upgraded for security reasons.
In the same article, they mention that it should be possible to remove this security check, but the solutions mentioned there didn’t work.
After looking around for some time, I came across this answer on StackOverflow.
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT
Essentially it downgrades the connection so that legacy connections continue working.
I was using HTTParty gem for connecting remotely. After adding the line above, the code becomes –
require 'httparty' OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT url = 'https://example.com/endpoint' HTTParty.get(url)
Hope the other server gets upgraded soon!