Welcome to the Alteryx Knowledge Base

How to Enable Legacy Encryption Methods in OpenSSL3
user

Created/Edited - 12/6/2024 by Matt Hochstein | Alteryx

How To
Enable Legacy Encryption Methods in OpenSSL3
Environment

The workaround requires a recent build of Designer or Server, one that has the legacy.dll added to the installer. The released versions which first incorporated the change are:

  • 2022.3 GA (2022.3.1.395)
  • 2022.1 Patch 4 (2022.1.1.42604)

 

Procedure

With the 2022.1 release of Alteryx Designer and Server, we upgraded the version of OpenSSL we bundle from the OpenSSL 1.1.x release line to OpenSSL 3.0.x. As of writing this article, we are shipping 3.0.7. With the release of OpenSSL 3, the OpenSSL foundation decided to move several older algorithms out of the main module and into a legacy.dll assembly which is not loaded by the default configuration. These algorithms are considered deprecated and their use is strongly discouraged, but end users may encounter situations where they do not have control over the security features of the endpoint to which they’re attempting to connect. In these cases, it may be useful to configure OpenSSL to load the legacy provider module as a workaround, thus enabling connectivity from Alteryx until the offending endpoint can be upgraded or reconfigured.

The algorithms deprecated in the main OpenSSL build but still provided by the legacy module are listed here. Of particular note is MD4 which is required for NTLM authentication.

THIS CONFIGURATION CHANGE HAS RAMIFICATIONS FOR ALL OUTBOUND CONNECTIONS MADE BY ANY ALTERYX COMPONENT USING OPENSSL ON THE MODIFIED HOST, AND MAY ALLOW CIPHER DOWNGRADE ATTACKS ON THOSE CONNECTIONS WHICH WOULD OTHERWISE BE REJECTED.

This change does not affect the ciphers used to secure and authenticate end-user connections to an Alteryx Server installation. Only connections originating from a modified host will be affected.

To configure OpenSSL to load the legacy provider, use Administrator privilege to create the file with this content:

For Designer Admin: 
 [INSTALL_DRIVE]:\Program Files\Alteryx\bin\ssl\cryptolib.cnf 

For Designer Non-Admin
[INSTALL_DRIVE]:\Users\{userName}\AppData\Local\Alteryx\bin\ssl\cryptolib.cnf
 

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1


For the Python SDK, it is also necessary to create or edit the below file which should have this content:

For Designer Admin: 
[INSTALL_DRIVE]:\Program Files\Alteryx\bin\Python\python-3.8.5-embed-amd64\ssl\cryptolib.cnf

For Designer Non-Admin
[INSTALL_DRIVE]:\Users\{userName}\AppData\Local\Alteryx\bin\Python\python-3.8.5-embed-amd64\ssl\cryptolib.cnf
 

[provider_sect]
default = default_sect
legacy = legacy_sect
fips = fips_sect

# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.

[default_sect]
activate = 1

[legacy_sect]
activate = 1

 

Note that this file may already exist; the critical changes are shown in yellow in this image:

 image.png

Restart Alteryx after making the changes.

 

Was this article helpful?