If you encounter the following SSL error in Python, especially when using the requests library:
SSLError: SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1129)')
There are a couple of approaches you can try to resolve it:
- First Attempt: If you're using Python's
requestslibrary, try bypassing SSL verification by settingverify=False. However, use this method cautiously as it could make your application vulnerable to security risks.
-
More Secure Approach: If the quick fix doesn't work or you're looking for a more secure solution, you'll need to modify the OpenSSL configuration file (
/etc/ssl/openssl.cnf). Be aware that changes to this file apply system-wide and could affect all applications using OpenSSL on your system.-
Locate the Configuration: Navigate to the end of the
openssl.cnffile. You should find these lines:[ssl_sect] system_default = system_default_sect [system_default_sect] CipherString = DEFAULT:@SECLEVEL=2 -
Identify Your OpenSSL Version: Run
openssl version -ato check your OpenSSL version, as a specific fix depends on it. The command's output will include the version and build details. -
Apply the Fix:
- For OpenSSL v3.0.2 and older, add
Options = UnsafeLegacyRenegotiationimmediately after theCipherString =line without leaving any empty line. - For OpenSSL v3.0.4 and newer, use
Options = UnsafeLegacyServerConnectinstead.
- For OpenSSL v3.0.2 and older, add
-
- Disabling Older TLS Versions: As an alternative to the above methods, you can choose to disallow the use of TLSv1.2. This can be done by adding
MinProtocol = TLSv1.3in the same section, which forces the use of TLSv1.3 only. This method enhances security but ensure your applications support TLSv1.3.