ssl_python.md

If you encounter the following SSL error in Python, especially when using the requests library:

SSLError: SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1129)')

There are a couple of approaches you can try to resolve it:

Quick Fix with Python Requests

• First Attempt: If you're using Python's requests library, try bypassing SSL verification by setting verify=False. However, use this method cautiously as it could make your application vulnerable to security risks.

System-wide Fix by Modifying OpenSSL Configuration

• More Secure Approach: If the quick fix doesn't work or you're looking for a more secure solution, you'll need to modify the OpenSSL configuration file (/etc/ssl/openssl.cnf). Be aware that changes to this file apply system-wide and could affect all applications using OpenSSL on your system.

  1. Locate the Configuration: Navigate to the end of the openssl.cnf file. You should find these lines:

     [ssl_sect]
     system_default = system_default_sect
     
     [system_default_sect]
     CipherString = DEFAULT:@SECLEVEL=2
     

  2. Identify Your OpenSSL Version: Run openssl version -a to check your OpenSSL version, as a specific fix depends on it. The command's output will include the version and build details.

  3. Apply the Fix:

     • For OpenSSL v3.0.2 and older, add Options = UnsafeLegacyRenegotiation immediately after the CipherString = line without leaving any empty line.
     • For OpenSSL v3.0.4 and newer, use Options = UnsafeLegacyServerConnect instead.

Alternative Approach: Disabling TLSv1.2

• Disabling Older TLS Versions: As an alternative to the above methods, you can choose to disallow the use of TLSv1.2. This can be done by adding MinProtocol = TLSv1.3 in the same section, which forces the use of TLSv1.3 only. This method enhances security but ensure your applications support TLSv1.3.