Open michal-devel opened 1 year ago
This error is still happening. Started happening today after a system upgrade. A quick hint would help to know if this is related to the vpn gateway using old TLS chipers or something similar.
/usr/lib/gp-saml-gui/test-globalprotect-login.py --user=user_name --clientos=Linux -p '' https://vpn_gateway_url prelogin-cookie=pre_login_cookie
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
conn.connect()
File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1071, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
retries = retries.increment(
File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='vpn_gateway_DNS_fqdn', port=443): Max retries exceeded with url: /ssl-vpn/login.esp (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/gp-saml-gui/test-globalprotect-login.py", line 81, in <module>
res = s.post(endpoint.geturl(), verify=args.verify, data=data)
File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 635, in post
return self.request("POST", url, data=data, json=json, **kwargs)
File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 563, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='vpn_gateway_DNS_fqdn', port=443): Max retries exceeded with url: /ssl-vpn/login.esp (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
Pkg versions:
openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.8.0. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script
pacman -Q|ag gp-saml-gui-git
gp-saml-gui-git r70.f1fafba-1
openssl 3.0.8-1
openssl-1.1 1.1.1.t-1
python-pyopenssl 23.0.0-1
python-requests 2.28.2-1
@stefancocora What you need to do is to follow this workaround: https://stackoverflow.com/a/72245418/2657875
Thanks @michal-devel I've already followed the workaround and it works with a local openssl.conf file. I meant my previous post as a question and maybe help for the developer to remove this issue that is coming from some of the python libraries.
Hi Dan,
some time ago you helped me to set up gp-saml-gui. Now something has broken and I can't use openconnect any longer.
I have
gp-saml-gui
set up as follows:gp-saml-gui --clientos=Windows --sudo-openconnect --gateway vpn-gw.my-host.com -- --csd-wrapper=/usr/lib/openconnect/hipreport.sh
Here's the exact error:
Here's
https://vpn-gw.my-host.com/ssl-vpn/prelogin.esp
content:I'm using latest OpenConnect for my OS (Arch Linux);
I'm happy to provide you some more details if needed. Cheers!
EDIT There is a workaround: https://stackoverflow.com/a/72245418/2657875