search

dlenski / gp-saml-gui

Interactively authenticate to GlobalProtect VPNs that require SAML
GNU General Public License v3.0
306 stars 69 forks source link

Can't get cert verified #5

Closed cocoy closed 4 years ago

cocoy commented 5 years ago

Hi @dlenski,

Python: 3.6.8 OS: Ubuntu 18.04

Got some output below 


eval $(./gp-saml-gui.py -v vpn.okta_test.com) 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

By adding -no-verify I got Unacceptable TLS certificate on the GUI.

dlenski commented 5 years ago

By adding -no-verify I got Unacceptable TLS certificate on the GUI.

Does your VPN server's certificate validate without warnings in a “normal” browser (e.g. Chromium)?

In order to get the embedded WebKit2 browser to ignore certificate errors, we'd have to figure out how to use this function… want to try writing a PR for it? https://webkitgtk.org/reference/webkit2gtk/stable/WebKitWebContext.html#webkit-web-context-set-tls-errors-policy

cocoy commented 5 years ago

Seems my chrome goes fine without warnings or maybe by default chrome accepts tls certificate. Not sure.

cocoy commented 5 years ago

I manage to get with the TLS error by adding after line 30:

WebKit2.WebContext.set_tls_errors_policy(self.ctx, WebKit2.TLSErrorsPolicy.IGNORE)

But have another problem on the converted openconnect command line:

Date: Mon, 25 Nov 2019 03:18:57 GMT
Content-Type: text/html
Content-Length: 128
Connection: keep-alive
ETag: "435fb-2346-5a0e1463"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-sslvpn: auth-failed
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=e5de02fa41463514caa2d490a04fcb8c; secure; HttpOnly
Set-Cookie: PHPSESSID=e5de02fa41463514caa2d490a04fcb8c; secure; HttpOnly
Set-Cookie: PHPSESSID=e5de02fa41463514caa2d490a04fcb8c; secure; HttpOnly
HTTP body length:  (128)
< 
< var respStatus = "Error";
< var respMsg = "Authentication failure: Invalid username or password";
< thisForm.inputStr.value = "";
< 
Unexpected 512 result from server
Invalid username or password.
Please enter your username and password
Username: fgets (stdin): Resource temporarily unavailable
dlenski commented 5 years ago

I manage to get with the TLS error by adding after line 30:

WebKit2.WebContext.set_tls_errors_policy(self.ctx, WebKit2.TLSErrorsPolicy.IGNORE)

Very nice, thanks! Modified in 2cbd240 so that --no-verify flag will do this.

But have another problem on the converted openconnect command line:

Date: Mon, 25 Nov 2019 03:18:57 GMT
Content-Type: text/html
Content-Length: 128
Connection: keep-alive
ETag: "435fb-2346-5a0e1463"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-sslvpn: auth-failed
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=e5de02fa41463514caa2d490a04fcb8c; secure; HttpOnly
Set-Cookie: PHPSESSID=e5de02fa41463514caa2d490a04fcb8c; secure; HttpOnly
Set-Cookie: PHPSESSID=e5de02fa41463514caa2d490a04fcb8c; secure; HttpOnly
HTTP body length:  (128)
< 
< var respStatus = "Error";
< var respMsg = "Authentication failure: Invalid username or password";
< thisForm.inputStr.value = "";
< 
Unexpected 512 result from server
Invalid username or password.
Please enter your username and password
Username: fgets (stdin): Resource temporarily unavailable

You're taking the output of gp-saml-gui.py -v, which should look something like this?

...
Got all required SAML headers, done.
SAML response converted to OpenConnect command line invocation:

    echo 'long base64 encoded value |
        openconnect --protocol=gp --user='something@corp.com' --usergroup=gateway:prelogin-cookie --passwd-on-stdin vpn.corp.com

...

And then it doesn't work? What does openconnect --version return?

cocoy commented 5 years ago

OpenConnect version v7.07-0

Do I need the version 8.xx?

Thanks @dlenski

dlenski commented 4 years ago

Do I need the version 8.xx?

Yes, get OpenConnect v8.05 from the official upstream repository (https://gitlab.com/openconnect/openconnect).

The only “7.x” builds that support GlobalProtect are the verrrrrrrry old pre-release ones from https://github.com/dlenski/openconnect. I've abandoned that repository and kept it only for historical reasons:

Screenshot from 2019-12-02 16-54-06

Those ancient pre-release builds don't support using preauthcookie (instead of the standard password field), which is required for SAML-based authentication to work. There are numerous other GP bugfixes and improvements in 8.0x.