当使用OpenSSL新版本访问一个旧版本OpenSSL的webserver时,有可能出现如下错误:
write EPROTO C0676B19867F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922
or
curl "https://app.cifm.com/" -v
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled此时可能被访问的webserver的OpenSSL因为版本过旧,有被中间人攻击的可能性。于是新版本的OpenSSL直接报错。但如果想继续访问此类web,需要修改 /usr/lib/ssl/openssl.cnf 文件, 检查下列配置项是否存在
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation参考: