Forum Discussion

SteveEason's avatar
May 31, 2023
Solved

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side

We have a client reporting a problem connection to one of our endpoints after they upgraded their appliance that uses SSL 3.0.7. I've read around a little and I believe this is in relation to the recent security issue announced by OpenSSL. Their device I believe uses an IBM APIConnect Gateway. The error they are getting with the connection since the upgrade happened is the following (IP and gtid obfuscated for security):

May 30 14:08:08 npe-dp-sac-node1 [APIConnect_Gateway][0x8120002f][ssl][error] ssl-client(bsc_dev2_tlsp-tls-client-profile-defaultV1.0.0): trans(4705632)[10.10.10.10] gtid(#################): TLS library error: error:141E3152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled

I'm concerned after digging around, that our F5 might not be ready or setup to accept traffic from devices that have been updated with this new version of SSL 3.0.7.  I am the SME for the F5 support at our company and I don't have a lot of experience on this end of the configuration. Is there something we need to do on the F5 to safely allow this traffic?

  • Did you open a support case on the customer behalf using their serial number? This sounds like a critical issue, rather than something that you would have time for "post and pray" on forums to get an answer. Also, you may want to hide the customers BIG-IP hostname as well 🙂 They may not be happy that you are posting console and info on a forum to get help!

3 Replies

  • Did you open a support case on the customer behalf using their serial number? This sounds like a critical issue, rather than something that you would have time for "post and pray" on forums to get an answer. Also, you may want to hide the customers BIG-IP hostname as well 🙂 They may not be happy that you are posting console and info on a forum to get help!

  • I did open a ticket with support. I had posted this question first and then after continuing my investigation realized maybe it would be best to open a ticket on the situation. Thanks for the suggestion.