"unsafe legacy renegotiation disabled" error when using curl on shortened links

[geozeke]

How Shlink is set-up

• Shlink Version: latest
• PHP Version: latest
• How do you serve Shlink: Docker image
• Database engine used: MariaDB

Summary

Greetings! Phenomenal tool. Thanks so much for all the hard work on it.

I routinely package up material for a Python course I'm teaching into compressed tar archives. I host the compressed tar file on Google Drive, and use Shlink to create a shortened URL that can be downloaded and unpacked in Linux like this:

curl -L -o - tiny.dinobox.net/sissY | tar -xvpJ

The use of the -L option in curl is important, because it allows curl to follow Shlink's redirect to the actual URL.

I'm running my Shlink server in a docker container on a Raspberry Pi, and it worked like a champ until I recently upgraded my client computer to Ubuntu 22.04. Now, when I run the command above in Ubuntu 22.04, I get this error:

➜ curl -L -o - tiny.dinobox.net/sissY | tar -xvpJ
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled
xz: (stdin): File format not recognized
tar: Child returned status 1
tar: Error is not recoverable: exiting now

If I replace the shortened URL with the raw (actual) URL, everything works:

➜ curl -L -o - https://drive.google.com/uc\?export\=download\&id\=1J9oTqzqSe-J4FEeCrrDic3vDVhogTRoy | tar -xvpJ
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  2704  100  2704    0     0   3384      0 --:--:-- --:--:-- --:--:--  3384
./
./oddeven.py
./tests/
./tests/test_oddEven.py
./tests/__init__.py
./tests/demoData.bin
./README.txt

When I Google the error message, there are some references to other applications having the same issue. In those cases, OpenSSL 3.0.x may have dropped support for legacy SSL handshakes, which leads to the error.

Note: The links above are live and should work if you want to test them. Also, using Google Drive sharing links to download a file with something like curl (or wget) requires that the link be repackaged like this.

Current behavior

Attempting to use curl with Shlink-generated URLs in Ubuntu 22.04 no longer works.

Expected behavior

Shortened links would download.

How to reproduce

Using the curl command as shown above.

[acelaya]

Thanks for the kind words 🙂

I'm afraid this has nothing to do with Shlink, as it does not handle the encryption.

I suppose the problem is on the certificate being configured on the reverse proxy in front of Shlink.

[geozeke]

Ah! Thank you. My apologies. This makes sense. My certificate appears valid, but you've given me a good starting point for troubleshooting :-)