Encountering OpenSSL / TLS problems

Symptoms

Seeing random error notifications that contain: OpenSSL and SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED when calling out different APIs. The source tool and target systems can vary a lot:

• pip calls can fail when loading data from pypi
• Robocorp Vault calls can fail in robot runs
• Calls to APIs like Salesforce can fail randomly.

The common part is the OpenSSL and SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED

Reason

OpenSSL is at the time of writing (10/2022) maintaining two version branches: v3 and v1.1.1 as they are moving to the new v3 implementations. OpenSSL v3 is a lot tighter when it comes to TLS protocols. Anything older than TLSv1.2 should not be used as older versions have had severe security vulnaribilities. Basically just about all servers are already on TLSv1.2, but... Some server incorrectly state their capability to do renegotiations and this trips off OpenSSL v3, and causes the problem.

If you load Python from conda-forge using conda.yaml and RCC you get the newer OpenSSL v3 where as if you get Python using the installers you will get Open SSL v1.1.1q.

OpenSSL v3 tightens the screws on everything related to TLS and also drops a lot of legacy stuff, so this is why it detects the problem and the runs with OpenSSL v1.1.1q do not.

Related links:

• OpenSSL Changelog
• GitHub Issue for urllib3

Solution

The workaround is to load OpenSSL v1.1.1q (or later) in your conda.yaml after you have loaded Python and pip:

channels:
  - conda-forge
dependencies:
  - python=3.9.13
  - pip=22.1.2
  - openssl=1.1.1q
  - pip:
      - rpaframework==17.3.0

OpenSSL v1.1.1 branch is still maintained so it gets the same fixes as the v3 branch, so it is a safe solution for now.

At some point v3 will be the only way and it is good to note that other tools are also tightening the TLS handling, so the misbehaving servers will be a problem at some point. So using OpenSSL v3 to test out your network in time is a good recommendation. Finding the server(s) that is causing this has proven really hard, we have an example bot that provides some test runs and OpenSSL calls to be able to find a case that fails.

• TLS Logging bot

Then unfortunately it is a case of hunting on the protocol level with tools like WireShark to find the server that is misbehaving.