I do not think you are supposed to just aimlessly add SSL_OP_NO_RENEGOTIATION to openssl.cnf. That is not documented in openssl.cnf(5).
Was a hail mary based on suggestions for other issues from non-grommunio apps.
Under dispute that it should be disabled by the server, not openSSL, which in this instance I read as grommunio (maybe a feature enhancement request?)
By my tests, openssl 1.1.x allows renego and openssl 3.x does not.
Hey good catch, I'll try 3.x
Thanks for your time!