Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl UNSAFE_LEGACY_RENEGOTIATION_DISABLED unsafe legacy renegotiation disabled #81

Open
smoser opened this issue Apr 21, 2022 · 4 comments · May be fixed by #126
Open

ssl UNSAFE_LEGACY_RENEGOTIATION_DISABLED unsafe legacy renegotiation disabled #81

smoser opened this issue Apr 21, 2022 · 4 comments · May be fixed by #126

Comments

@smoser
Copy link

smoser commented Apr 21, 2022

I hit the error below today after an upgrade to Ubuntu 22.04 with newer openssl (3.0.2).

$ openconnect-sso --server=my.company.endpoint.com/ssl
[info     ] Authenticating to VPN end
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1040, in _validate_conn
    conn.connect()
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1070, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

I poked for a little bit on trying a python code stackoverflow suggestion but was not successful.

The fix I found was from launchpad bug 1963834 with more information on openssl-users ml. Thanks to @hallyn for helping to find it.

Here it is for anyone interested:

$ cat ./my-ssl.conf
openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

$ export OPENSSL_CONF="./my-ssl.conf"
$ openconnect-sso --server=....
@lucashtc
Copy link

This solves the error in the console, but when opening the browser it does not load, the browser is blank

@lucashtc
Copy link

I managed to solve the white page problem using

QTWEBENGINE_DISABLE_SANDBOX=1 OPENSSL_CONF=~/ssl.conf openconnect-sso -s vpnxxxxx.com.br

alx242 added a commit to alx242/dot-files that referenced this issue Apr 27, 2022
@alx242
Added a .ssl.conf to sidestep open-connect and ssl-3.0 issues,
0a42330 
see more here: vlaci/openconnect-sso#81
@hennr
Copy link

hennr commented Aug 19, 2022

Using pyqt6 binding does also fix the white page that the browser shows.
See #86

@ElectricRCAircraftGuy
Copy link

ElectricRCAircraftGuy commented Dec 22, 2022
edited

Thank you @smoser and @lucashtc . Your solutions solved it for me and got me unblocked on Ubuntu 22.04 when following my own instructions here: How to use "openconnect" (via the openconnect-sso wrapper) with SAML and Duo two-factor authentication via Okta Single-Sign-on (SSO).

For anyone who needs more-explicit instructions, here's how I'd do it:

  1. Create a ~/.my_ssl.conf file:

    gedit ~/.my_ssl.conf

    Then paste the following into it:

    # Custom configuration to solve some problems while using `openconnect-sso` in Ubuntu 22.04.
# See: https://github.com/vlaci/openconnect-sso/issues/81#issuecomment-1363355533

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

    Save it and close it.

  2. Then run this:

    VPN_SERVER_ADDRESS="myvpn.whatever.com"   # example server address to connect to
VPN_SAML_GROUP="whatever-saml-whatever"   # example SAML group name
VPN_USER="[email protected]"      # example username
# or perhaps just this for the username:
# VPN_USER="my.username"

QTWEBENGINE_DISABLE_SANDBOX=1 OPENSSL_CONF=~/.my_ssl.conf openconnect-sso \
	--server "${VPN_SERVER_ADDRESS}/${VPN_SAML_GROUP}" --user "${VPN_USER}"

    Note that instead of calling QTWEBENGINE_DISABLE_SANDBOX=1 OPENSSL_CONF=~/.my_ssl.conf openconnect-sso ..., you can also place those passed-in variables into your ~/.bashrc file. export is required for those, but not for the VPN* variables I set above.

    Add to the bottom of your ~/.bashrc file:

    # Custom configuration to solve some problems while using `openconnect-sso` in Ubuntu 22.04.
# See: https://github.com/vlaci/openconnect-sso/issues/81#issuecomment-1363355533
export QTWEBENGINE_DISABLE_SANDBOX=1
export OPENSSL_CONF=~/.my_ssl.conf

VPN_SERVER_ADDRESS="myvpn.whatever.com"   # example server address to connect to
VPN_SAML_GROUP="whatever-saml-whatever"   # example SAML group name
VPN_USER="[email protected]"      # example username
# or perhaps just this for the username:
# VPN_USER="my.username"

    Now log out of Ubuntu and log back in, or re-source your ~/.bashrc file:

    . ~/.bashrc

    Then you can just run openconnect-sso without those leading variables:

    openconnect-sso --server "${VPN_SERVER_ADDRESS}/${VPN_SAML_GROUP}" --user "${VPN_USER}"

.my_ssl.conf is part of my eRCaGuy_dotfiles repo now too.

Thanks for your help on this!

ElectricRCAircraftGuy added a commit to ElectricRCAircraftGuy/eRCaGuy_dotfiles that referenced this issue Dec 22, 2022
@ElectricRCAircraftGuy
Add home/.my_ssl.conf to allow openconnect-ssh
1069dce 
...to properly work on Ubuntu 22.04.

Also update home/.bash_aliases with some fixes for that too.

See my comment & instructions:
vlaci/openconnect-sso#81 (comment)
@danchr danchr linked a pull request Sep 7, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow legacy renegotiation, and failing redirect detection danchr/openconnect-sso
4 participants
@smoser @hennr @ElectricRCAircraftGuy @lucashtc