Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for Disabled Unsafe Negotiation #139

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix for Disabled Unsafe Negotiation #139

wants to merge 1 commit into from
+33 −3

Conversation

5had3z
Copy link

@5had3z 5had3z commented Aug 15, 2023

When pip installing the standard package I get the below error when self.sesison is used or at _detect_authentication_target_url(). After a bit of searching I found this which resolves the issue for me for connecting to my institution's VPN. I'm running on ubuntu 22.04 w/ python3.10, urllib3=1.26.16, requests=2.31.0.

openconnect-sso -s vpn.foo.bar
[info     ] Authenticating to VPN endpoint [openconnect_sso.app] address=vpn.foo.bar name=
Traceback (most recent call last):
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 714, in urlopen
    httplib_response = self._make_request(
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 403, in _make_request
    self._validate_conn(conn)
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1053, in _validate_conn
    conn.connect()
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1007)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
.......
line 87, in _start_authentication
    response = self.session.post(self.host.vpn_url, request)

-------OR-------
Traceback (most recent call last):
...
line 42, in authenticate
    self._detect_authentication_target_url()

@5had3z
apply fix from stackof
1852105 
Signed-off-by: Bryce Ferenczi <[email protected]>
@danchr
Copy link

danchr commented Sep 7, 2023

For what it's worth, this is essentially a duplicate of #126, which does the same, but in a slightly different manner. The root cause is OpenSSL 3 disabling legacy renegotiation by default, I believe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@5had3z @danchr