Page 1 of 1

error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Posted: Fri Oct 13, 2023 10:14 pm
by zenon_brak
Hi, I need help with the following issue.
After updating to OpenVPN 3.4.0 (5457) on iOS, "error:0A000152:SSL routines::unsafe legacy renegotiation disabled" occur when trying to connect.
In Settings -> Advanced Options, I have the Insecure (Not Recommended) option selected.
However, this doesn't help, I still can't connect...

Client Logs (## IP, PORT & DOMAIN removed for privacy ##):

Code: Select all

[Oct 13, 2023, 23:47:09] START CONNECTION
[Oct 13, 2023, 23:47:09] ----- OpenVPN Start -----
OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 13, 2023, 23:47:09] OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 13, 2023, 23:47:09] Frame=512/2112/512 mssfix-ctrl=1250
[Oct 13, 2023, 23:47:09] EVENT: RESOLVE
[Oct 13, 2023, 23:47:09] Contacting <IP:PORT> via UDP 
[Oct 13, 2023, 23:47:09] EVENT: WAIT
[Oct 13, 2023, 23:47:09] Connecting to [<DOMAIN>]:<PORT> (<IP>) via UDP
[Oct 13, 2023, 23:47:10] EVENT: CONNECTING
[Oct 13, 2023, 23:47:10] Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
[Oct 13, 2023, 23:47:10] Creds: UsernameEmpty/PasswordEmpty
[Oct 13, 2023, 23:47:10] Sending Peer Info:
IV_VER=3.8.2connect1
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:DES-CBC:DES-EDE3-CBC:BF-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO=1
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.ios_3.4.0-5457
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Oct 13, 2023, 23:47:10] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
[Oct 13, 2023, 23:47:10] Client terminated, restarting in 2000 ms...
Server Logs (## IP & PORT removed for privacy ##):

Code: Select all

Oct 13 23:48:09 openvpn[534]: <IP:PORT> TLS Error: TLS handshake failed
Oct 13 23:48:09 openvpn[534]: <IP:PORT> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 13 23:47:09 openvpn[534]: <IP:PORT> LZO compression initialized
Oct 13 23:47:09 openvpn[534]: <IP:PORT> Re-using SSL/TLS context

Re: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Posted: Sun Jan 21, 2024 9:00 am
by dallinga
I have been getting this error too since late last year, on my draytek router, started using the draytek ssl vpn, but need open vpn working for my travel fire stick for watching iPlayer abroad, most annoying.

Re: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Posted: Wed Jan 31, 2024 9:55 am
by xberti
Hi, I also got this exception in the OpenVPN client on Android smart phones:

Client Log:

Code: Select all

[Jan. 31, 2024, 09:29:05] EVENT: RECONNECTING

[Jan. 31, 2024, 09:29:05] Contacting xyz.xyz.xyz.xyz:1194 via UDP

[Jan. 31, 2024, 09:29:05] EVENT: RESOLVE

[Jan. 31, 2024, 09:29:05] EVENT: WAIT

[Jan. 31, 2024, 09:29:05] Connecting to [xyz.dyndns.org]:1194 (xyz.xyz.xyz.xyz) via UDP

[Jan. 31, 2024, 09:29:06] EVENT: CONNECTING

[Jan. 31, 2024, 09:29:06] Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client

[Jan. 31, 2024, 09:29:06] Creds: Username/Password

[Jan. 31, 2024, 09:29:06] Sending Peer Info:
IV_VER=3.8.4connectX
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_GUI_VER=net.openvpn.connect.android_3.4.0-9755
IV_SSO=webauth,openurl,crtext


[Jan. 31, 2024, 09:29:06] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

[Jan. 31, 2024, 09:29:06] Client terminated, restarting in 2000 ms...
So this is the exception:

Code: Select all

Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
I also have a DrayTek router (Vigor 2862) with OpenVPN Server included.

Does "unsafe legacy renegotiation disabled" mean I'll have to switch something at the OpenVPN client app?
I think that the client side has got an update (the Android OpenVPN App). Could this cause the problem?
If yes, what do I have to change on the client side?

Best regards
xberti

Re: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Posted: Tue Mar 12, 2024 12:28 pm
by kramms
Any luck with this? Same issue with the Draytek 2952

Re: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Posted: Thu May 23, 2024 1:29 pm
by samirchagan
Same error on my side.
[May 23, 2024, 14:06:36] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

windows client openvpn connect v3.4.4,
draytek 2962 v4.3.2.6,

even setting to insecure on the advanced settings of the openvpn client.