Skip to content

Unsafe Legacy Renegotiation Disabled

Sometimes browsing to a given site might result into the 502 Bad Gateway error with the following description text

Web Filtering Proxy was not able to forward the client request to the origin 

The following error occurred while processing the client request: Proxy was 
not able to establish the secure connection to the origin server. Error 
code: A000152, error category: asio.ssl, error message: unsafe legacy 
renegotiation disabled (SSL routines). Connection to the origin server and 
to the client will now be terminated.

The browser will then show a blocked page as on the following screenshot.

Bad Gateway Error

If you check the site in question using for example TSL server test utility it will become obvious that the site has explicitly disabled the SSL renegotiation as explained in this article.

Latest version of OpenSSL 3 that is used in Web Filtering Proxy contains default setting that requires a remote site to unconditionally have support for secure renegotiation - which is recommended to improve overall security of the connections, described in OpenSSL 3 developer migration guide.

Secure renegotiation is now required by default for TLS connections

Support for RFC 5746 secure renegotiation is now required by default for 
SSL or TLS connections to succeed. Applications that require the ability
to connect to legacy peers will need to explicitly set 
is no longer set as part of SSL_OP_ALL.

Correct steps to mitigate this error is to tell the admin of the remote site to move to latest version of OpenSSL. If this is not possible, two other possibilities exist.

Option 1 - Add to Global Exclusions

Add the domain you need to connect to to Global Exclusions. This will force the proxy to treat this connection as opaque tunnel of bytes. Then your browser will decide if it is OK to connect to that domain or not.

Option 2 - Allow Legacy Connections

Enable support for SSL_OP_LEGACY_SERVER_CONNECT in Proxy Settings / Origin Connections as shown on the following screenshot.

Enable Legacy Server Connect

From now on the connection to the problematic domain will be allowed.