SSL Allow Unsafe Renegotiation

Whether to allow unsafe legacy renegotiation during SSL connections. Secure renegotiation (RFC 5746) is always attempted when possible, as it avoids some security vulnerabilities (CVE-2009-3555). If secure renegotiation is not possible (i.e. remote server does not support it), unsafe renegotiation is used only if this setting is Yes, or Yes and warn (the default); No will result in refusal to connect unsafely and the error Cannot complete SSL handshake with www.example.com:443: error:0A000152:SSL routines::unsafe legacy renegotiation disabled. Additionally, if Yes and warn is set and secure renegotiation is not possible, connections will proceed but with the once-per-host warning Enabling SSL unsafe legacy renegotiation for N.N.N.N (www.example.com): Host does not support secure renegotiation.

Note that support for legacy renegotiation is dependent on OpenSSL support for it, which means Thunderstone support may be removed in a future release if OpenSSL discontinues support. If possible, walked servers that do not support secure (RFC 5746) renegotiation should be upgraded to support it.

This setting was added with Texis version 8.01.1673379113 20230110. Texis versions from 8.00.1633988159 20211011 up to just before that version behaved as if this setting was No.


Copyright © Thunderstone Software     Last updated: Nov 8 2024
Copyright © 2024 Thunderstone Software LLC. All rights reserved.