OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

[sebstepien]

Does this issue occur when all extensions are disabled?: Yes/No

• VS Code Version:
• OS Version:

Steps to Reproduce:

1. Launch WSL
2. Try starting Vscode using code .

Result
Connecting to update.code.visualstudio.com (update.code.visualstudio.com)|13.107.213.31|:443... connected.
OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
Unable to establish SSL connection.

I would have imagined this to be a common situation.

[andrew-weisman]

FYI I just fixed this by loading the workspace from VS Code instead of from WSL, updating all extensions—probably especially the WSL extension—and making sure everything was working from there. Then I shut down VS Code, and the next time I ran “code .” it worked!

[sebstepien]

Yes. That was my workaround.

[pythonpadawanEXE]

I'm experiencing this same issue when running my dev container build, i assume it's why my extensions don't auto install.
I've tried the solutions from #5620 and related
Here's a snippet from my docker build

[39576 ms] Extensions cache, install extensions: ms-vscode-remote.remote-containers, VisualStudioExptTeam.vscodeintellicode, vscjava.vscode-java-pack
[39576 ms] Start: Run in container: test -d /root/.vscode-server/extensionsCache && ls /root/.vscode-server/extensionsCache || true
[39580 ms] 
[39580 ms] 
[39580 ms] Start: Run in container: test -d /vscode/vscode-server/extensionsCache && ls /vscode/vscode-server/extensionsCache || true
[39599 ms] af65741c-d181-4b86-a561-0ae1ba727fa1
[39599 ms] 
[39599 ms] Extensions cache, link in container: None
[39600 ms] Optimizing extensions for quality: stable
[39600 ms] Start: Run in container: /root/.vscode-server/bin/abd2f3db4bdb28f9e95536dfa84d8479f1eb312d/bin/code-server --log debug --force-disable-user-env --server-data-dir /root/.vscode-server --telemetry-level all --accept-server-license-terms --host 127.0.0.1 --port 0 --connection-token-file /root/.vscode-server/data/Machine/.connection-token-abd2f3db4bdb28f9e95536dfa84d8479f1eb312d --extensions-download-dir /root/.vscode-server/extensionsCache --install-extension ms-vscode-remote.remote-containers --install-extension VisualStudioExptTeam.vscodeintellicode --install-extension vscjava.vscode-java-pack --start-server 
[39831 ms] userEnvProbe PATHs:
Probe:     '/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
Container: '/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
[39832 ms] Start: Run in container: mkdir -p '/tmp/devcontainers-2bdf9d97-da1b-4d6e-b759-8026d5db90c01694737755292' && cat > '/tmp/devcontainers-2bdf9d97-da1b-4d6e-b759-8026d5db90c01694737755292/env-loginInteractiveShell.json' << 'envJSON'
[39863 ms] 
[39863 ms] 
[40319 ms] *
* Visual Studio Code Server
*
* By using the software, you agree to
* the Visual Studio Code Server License Terms (https://aka.ms/vscode-server-license) and
* the Microsoft Privacy Statement (https://privacy.microsoft.com/en-US/privacystatement).
*
[40346 ms] Server bound to 127.0.0.1:45937 (IPv4)
Extension host agent listening on 45937

[40347 ms] Start: Run in container: echo 45937 >'/root/.vscode-server/data/Machine/.devport-abd2f3db4bdb28f9e95536dfa84d8479f1eb312d'
[40349 ms] 
[40349 ms] 
[40349 ms] Port forwarding for container port 45937 starts listening on local port.
[40351 ms] Port forwarding local port 45937 to container port 45937
[40365 ms] Port forwarding connection from 65202 > 45937 > 45937 in the container.
[40366 ms] Start: Run in container: /root/.vscode-server/bin/abd2f3db4bdb28f9e95536dfa84d8479f1eb312d/node -e 
[40372 ms] Start: Run in container: # Test for /root/.gitconfig and git
[40395 ms] 
[40395 ms] 
[40395 ms] Start: Run in container: # Copy /Users/user/.gitconfig to /root/.gitconfig
[40447 ms] 
[40447 ms] 
[40447 ms] Start: Run in container: # Cleaning up git config
[40540 ms] 
[40540 ms] 
[40540 ms] Start: Run in container: command -v git >/dev/null 2>&1 && git config --global --replace-all credential.helper '!f() { /root/.vscode-server/bin/abd2f3db4bdb28f9e95536dfa84d8479f1eb312d/node /tmp/vscode-remote-containers-b3725bbb-d4b7-4fe3-b612-2bf692de2340.js git-credential-helper $*; }; f' || true
[40575 ms] 
[40575 ms] 
[41016 ms] Port forwarding 65202 > 45937 > 45937 stderr: Connection established
[41215 ms] [10:29:57] 




[41345 ms] [10:29:57] Installing extensions...
[41361 ms] [10:29:57] Extension host agent started.
[41443 ms] Port forwarding connection from 65203 > 45937 > 45937 in the container.
[41443 ms] Start: Run in container: /root/.vscode-server/bin/abd2f3db4bdb28f9e95536dfa84d8479f1eb312d/node -e 
[41587 ms] [10:29:57] Started initializing default profile extensions in extensions installation folder. file:///root/.vscode-server/extensions
[41624 ms] [10:29:57] ComputeTargetPlatform: linux-x64
[41631 ms] [10:29:57] [127.0.0.1][d9498b89][ManagementConnection] New connection established.
[41658 ms] [10:29:57] Completed initializing default profile extensions in extensions installation folder. file:///root/.vscode-server/extensions
[41703 ms] [10:29:57] Log level changed to info
[42078 ms] Port forwarding 65203 > 45937 > 45937 stderr: Connection established
[42816 ms] [10:29:58] [127.0.0.1][f2366dfd][ExtensionHostConnection] New connection established.
[42842 ms] [10:29:58] [127.0.0.1][f2366dfd][ExtensionHostConnection] <580> Launched Extension Host Process.
[107847 ms] Start: Run in container: cat /proc/1004/environ

When the install script runs I get this error

root@docker-desktop:/workspaces# /root/.vscode-server/bin/abd2f3db4bdb28f9e95536dfa84d8479f1eb312d/bin/code-server --log debug --force-disable-user-env --server-data-dir /root/.vscode-server --telemetry-level all --accept-server-license-terms --host 127.0.0.1 --port 0 --connection-token-file /root/.vscode-server/data/Machine/.connection-token-abd2f3db4bdb28f9e95536dfa84d8479f1eb312d --extensions-download-dir /root/.vscode-server/extensionsCache --install-extension ms-vscode-remote.remote-containers --install-extension VisualStudioExptTeam.vscodeintellicode --install-extension vscjava.vscode-java-pack --start-serve
Ignoring option 'start-serve': not supported for server.
Installing extensions...
Error while installing extensions: write EPROTO 40ACDA0040000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:

write EPROTO 40ACDA0040000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:

root@docker-desktop:/workspaces# /root/.vscode-server/bin/abd2f3db4bdb28f9e95536dfa84d8479f1eb312d/bin/code-server --log debug --force-disable-user-env --server-data-dir /root/.vscode-server --telemetry-level all --accept-server-license-terms --host 127.0.0.1 --port 0 --connection-token-file /root/.vscode-server/data/Machine/.connection-token-abd2f3db4bdb28f9e95536dfa84d8479f1eb312d --extensions-download-dir /root/.vscode-server/extensionsCache --install-extension ms-vscode-remote.remote-containers --install-extension VisualStudioExptTeam.vscodeintellicode --install-extension vscjava.vscode-java-pack --start-server
*
* Visual Studio Code Server
*
* By using the software, you agree to
* the Visual Studio Code Server License Terms (https://aka.ms/vscode-server-license) and
* the Microsoft Privacy Statement (https://privacy.microsoft.com/en-US/privacystatement).
*
Server bound to 127.0.0.1:38103 (IPv4)
Extension host agent listening on 38103

[10:32:10] 




[10:32:10] Installing extensions...
[10:32:10] Extension host agent started.
[10:32:10] ComputeTargetPlatform: linux-x64
[10:32:10] ComputeTargetPlatform: linux-x64
[10:32:11] Error while installing extensions: write EPROTO 40ACDA0040000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:

[10:32:11] Error: write EPROTO 40ACDA0040000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:

    at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) {
  errno: -71,
  code: 'EPROTO',
  syscall: 'write'
}
[10:32:11] No uninstalled extensions found.

But nothing is shown in the exension host log

2023-09-15 10:30:01.571 [info] Extension host with pid 580 started
2023-09-15 10:30:01.681 [info] Lock '/root/.vscode-server/data/User/workspaceStorage/b7264291173c5c660a7acbe47bf71a59/vscode.lock': Lock acquired.
2023-09-15 10:30:01.804 [info] ExtensionService#_doActivateExtension vscode.emmet, startup: false, activationEvent: 'onLanguage'
2023-09-15 10:30:01.809 [info] ExtensionService#_doActivateExtension vscode.tunnel-forwarding, startup: false, activationEvent: 'onTunnel'
2023-09-15 10:30:01.812 [info] ExtensionService#_doActivateExtension vscode.json-language-features, startup: false, activationEvent: 'onLanguage:jsonc'
2023-09-15 10:30:01.813 [info] ExtensionService#_doActivateExtension vscode.typescript-language-features, startup: false, activationEvent: 'onLanguage:jsonc'
2023-09-15 10:30:03.240 [info] ExtensionService#_doActivateExtension vscode.git-base, startup: true, activationEvent: '*', root cause: vscode.git
2023-09-15 10:30:03.388 [info] ExtensionService#_doActivateExtension vscode.git, startup: true, activationEvent: '*'
2023-09-15 10:30:03.390 [info] ExtensionService#_doActivateExtension vscode.github, startup: true, activationEvent: '*'
2023-09-15 10:30:04.070 [info] Eager extensions activated
2023-09-15 10:30:04.072 [info] ExtensionService#_doActivateExtension vscode.debug-auto-launch, startup: false, activationEvent: 'onStartupFinished'
2023-09-15 10:30:04.074 [info] ExtensionService#_doActivateExtension vscode.merge-conflict, startup: false, activationEvent: 'onStartupFinished'
2023-09-15 10:32:02.565 [info] ExtensionService#_doActivateExtension vscode.npm, startup: false, activationEvent: 'onTerminalQuickFixRequest:ms-vscode.npm-command'

[jcpoconnor]

This has just started happening to me - only when I'm using Cisco VPN and under WSL2 (Ubuntu-22.04)

[sliekens]

This also started happening to me (behind a corporate firewall which does TLS decryption and re-encrypts it.)

[error] Error while installing 'ms-dotnettools.csharp' extension in the remote server. write EPROTO C087A52FAD7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:

[aeschli]

This points to a configuration problem in the WSL distro:

We use the installed wget command:
wget -o server.zip https://update.code.visualstudio.com/commit:0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/server-linux-x64/stable

[sliekens]

@aeschli did you intend to close?

[aeschli]

Yes, my understanding is that this is a configuration issue on the OS side (WSL distro / docker container).
https://stackoverflow.com/questions/75763525/curl-35-error0a000152ssl-routinesunsafe-legacy-renegotiation-disabled
is about that.

As mentioned, what our script does is to call
wget -o server.zip https://update.code.visualstudio.com/commit:0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/server-linux-x64/stable
There's no configuration from the VS Code sie involved.

[sliekens]

Ah so you added Options = UnsafeLegacyServerConnect to your openssl config?

Is it also the case that your corporate MITM attack doesn't support secure renegotiation? That's what causes the error in my environment.

Agree it's not a vscode issue but enabling unsafe renegotiation seems a bit reckless to me.