Parameter:
SSL_Enable_Insecure_Renegotiate_ClientsShort description: Allows legacy clients without RFC 5746 support to keep using insecure TLS renegotiation – only use as a temporary bridge.
Profile
Parameter | SSL_Enable_Insecure_Renegotiate_Clients |
Category | Security / TLS |
Component | Server |
Available since | 10.0 |
Supported versions | 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = only secure renegotiation (recommended), 1 = allow legacy clients |
Description
After the CVE-2009-3555 renegotiation attack, TLS renegotiation may only happen according to RFC 5746. Very old clients / libraries do not support this extension and abort the handshake.
SSL_Enable_Insecure_Renegotiate_Clients=1 relaxes the check – but reopens the old vulnerability.Use only as a bridge until the last legacy clients have been replaced.
Example configuration
SSL_Enable_Insecure_Renegotiate_Clients=1
Notes & pitfalls
- Security risk (MITM renegotiation) – document it and set an exit date.
- Combines with
TLS_ALLOW_RENEGOTIATION,SSL_DISABLE_TLS_*,TLSCipherList.
- Not needed with modern browsers – in practice only affects ancient Notes clients / third-party libraries.
- Audit via
DEBUG_TLS=1shows renegotiation attempts.
- The change takes effect after restarting the HTTP / SMTP / LDAP task.