CL+SSL SSL Error: Unsafe legacy renegotiation disabled. How to bypass or resolve?

Question

I'm trying to hit an https endpoint to pull back some data using common-lisp(sbcl). For a while this worked without issue. Then one day I started receiving the following error

SSL error queue:
error:0A000152:SSL routines::unsafe legacy renegotiation disabled
   [Condition of type CL+SSL::SSL-ERROR-SSL]

I've tried using both drakma and dexador, but see the same error from both. I've confirmed through openssl that the server I'm trying to connect to does not support renegotiation.

From openssl s_client -connect

New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported

I'm on OSX and my open ssl version is LibreSSL 2.8.3.

So to my understanding my client is trying to initiate renegotiation, but the server is rejecting it. I don't really know where to go from here and at this point I'm not even sure what level the problem is truly at, openSSL, CL+SSL, or the http client libraries built on top of CL+SSL. Is there some way to disable renegotiation, or force a new connection? Is there some setting I'm missing?

Answer 1

In Openssl 1.1.1, the SSL_OP_LEGACY_SERVER_CONNECT flag was turned on by default, but It is turned off by default as of Openssl 3.0.0.

check the article below

SSL_CTX_set_options(ssl_ctx, SSL_OP_LEGACY_SERVER_CONNECT);

https://www.openssl.org/docs/man3.0/man3/SSL_clear_options.html