openssl 3.0.0 i error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Pon, 20 Gru 2021, 15:53:01 CET

Cześć

Zrobiłem upgrade serwera do aktualnych wersji z main (między innymi 
openssl 3.0.0) i próby połączenia z https://mapy.geoportal.gov.pl 
wget'em, curl'em, przez php itp kończą się błędem:

error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Np.:

$ curl -v -k https://mapy.geoportal.gov.pl
*   Trying 91.223.135.44:443...
* Connected to mapy.geoportal.gov.pl (91.223.135.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:0A000152:SSL routines::unsafe legacy renegotiation disabled
* Closing connection 0
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Na serwerze z openssl 1.1.1l curl się łączy:

$ curl -v -k https://mapy.geoportal.gov.pl/
*   Trying 91.223.135.44:443...
* Connected to mapy.geoportal.gov.pl (91.223.135.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.geoportal.gov.pl
*  start date: Mar  4 23:00:00 2021 GMT
*  expire date: Mar  4 23:00:00 2022 GMT
*  issuer: C=PL; O=Unizeto Technologies S.A.; OU=Certum Certification 
Authority; CN=Certum Domain Validation CA SHA2
*  SSL certificate verify ok.
 > GET / HTTP/1.1
 > Host: mapy.geoportal.gov.pl
 > User-Agent: curl/7.78.0
 > Accept: */*
 >
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Moved Temporarily
< Location: https://mapy.geoportal.gov.pl/imap/
* HTTP/1.0 connection set to keep alive!
< Connection: Keep-Alive
< Content-Length: 0

Co należy wpisać do openssl.cnf aby zezwolić na takie połączenia?

Próbowałem różnych kombinacji w rodzaju:

Options = UnsafeLegacyRenegotiation ClientRenegotiation !NoRenegotiation

ale efektów to nie przyniosło :-(

pozdrawiam

         Bartek