Description
This article describes the scope of Legacy Real Servers and support in FortiADC.
Scope
FortiADC.
Solution
- When a Legacy Real Server is used on FortiADC firmware version 7.6.0, as the FortiADC openssl version is 3.1, Legacy Real Servers using openssl 1.1.1 will set SSL_OP_LEGACY_SERVER_CONNECT to SSL option as default even if the renegotiation is not strict on the RS_SSL_Profile:
- Enable the httproxy debug:
diagnose debug module ssl-of-httproxy all set
diagnose debug module httproxy ssl_ae_info
diagnose debug module httproxy all
diagnose debug module httproxy set-filter srcip=x.x.x.x(client IP address)
diagnose debug module httproxy set-filter vsname=(VSname)
diagnose debug enable
The following logs are shown:
Thu Sep 26 2024 10:14:21.265522 27463 ssl_sock_handshake@(src/ssl_sock.c:8370) [sess id:5b vs:VS_SRV-PROD157_EVALFONDECYT_ANID_HTTPS clt:192.168.221.220:14156] fd=41:server-side:common:handshake: Error, and ret value is 1, error string is error:0A000152:SSL routines::unsafe legacy renegotiation disabled
- Disabling renegotiation strict is showing the same logs as per the current newly OpenSSL versions in FortiADC:
- The long-term solution for SSL handshake gets the error 'unsafe legacy renegotiation disabled' if the real server has no renegotiation, which will be on the next major release FortiADC v7.4.6 and v7.6.1, these versions will set SSL_OP_LEGACY_SERVER_CONNECT to SSL option if renegotiation secure is not strict.
