Skip to content

Commit c87b422

Browse files
mayaraman19mayaraman19
committed
procedure + comments
1 parent c4c00eb commit c87b422

File tree

1 file changed

+34
-18
lines changed
  • source/includes/troubleshooting

1 file changed

+34
-18
lines changed

source/includes/troubleshooting/tls.rst

Lines changed: 34 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -137,35 +137,51 @@ message:
137137
These types of errors occur because of outdated or buggy SSL proxies that mistakenly
138138
enforce legacy `TLS renegotiation <https://www.ibm.com/docs/en/i/7.3?topic=settings-renegotiation>`__.
139139

140-
To resolve this issue, create a configuration file that includes the
141-
``UnsafeLegacyServerConnect`` option. This option requires OpenSSL v3.0.4 or
142-
greater. The following example shows how to set the ``UnsafeLegacyServerConnect``
143-
option:
140+
To resolve this issue, perform the following steps:
144141

145-
.. code-block:: shell
146-
:emphasize-lines: 10
142+
.. procedure::
143+
144+
.. step:: Check OpenSSL Version
145+
146+
Run the following command to ensure that you have OpenSSL vv3.0.4 or
147+
later installed:
148+
149+
.. code-block:: bash
150+
151+
openssl version
152+
153+
.. step:: Use ``UnsafeLegacyServerConnect`` Option
154+
155+
Create a configuration file that includes the
156+
``UnsafeLegacyServerConnect`` option. The following example shows how to set
157+
the ``UnsafeLegacyServerConnect`` option:
158+
159+
.. code-block:: shell
160+
:emphasize-lines: 10
161+
162+
openssl_conf = openssl_init
147163
148-
openssl_conf = openssl_init
164+
[openssl_init]
165+
ssl_conf = ssl_sect
149166
150-
[openssl_init]
151-
ssl_conf = ssl_sect
167+
[ssl_sect]
168+
system_default = system_default_sect
152169
153-
[ssl_sect]
154-
system_default = system_default_sect
170+
[system_default_sect]
171+
Options = UnsafeLegacyServerConnect
155172
156-
[system_default_sect]
157-
Options = UnsafeLegacyServerConnect
173+
.. step:: Run Python With OpenSSL Configuration
158174

159-
Then run Python while setting the ``OPENSSL_CONF`` environment variable to use
160-
the OpenSSL configuration file you just created:
175+
Run Python while setting the ``OPENSSL_CONF`` environment variable to use
176+
the OpenSSL configuration file you just created:
161177

162-
.. code-block:: shell
178+
.. code-block:: shell
163179
164-
OPENSSL_CONF=/path/to/the/config/file/above.cnf python ...
180+
OPENSSL_CONF=/path/to/the/config/file/above.cnf python ...
165181
166182
.. important::
167183

168184
Because setting the ``UnsafeLegacyServerConnect`` option has
169185
`security implications <https://docs.openssl.org/3.0/man3/SSL_CTX_set_options/#patched-openssl-client-and-unpatched-server>`__,
170-
this workaround should only be used as a last
186+
use this workaround as a last
171187
resort to address ``unsafe legacy renegotiation disabled`` errors.

0 commit comments

Comments
 (0)