search

dlenski / gp-saml-gui

Interactively authenticate to GlobalProtect VPNs that require SAML
GNU General Public License v3.0
300 stars 68 forks source link

gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled #69

Open michal-devel opened 1 year ago

michal-devel commented 1 year ago

Hi Dan,

some time ago you helped me to set up gp-saml-gui. Now something has broken and I can't use openconnect any longer.

I have gp-saml-gui set up as follows:

gp-saml-gui --clientos=Windows --sudo-openconnect --gateway vpn-gw.my-host.com -- --csd-wrapper=/usr/lib/openconnect/hipreport.sh

Here's the exact error:

Looking for SAML auth tags in response to vpn-gw.my-host.com/ssl-vpn/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Linux,Windows}] [-f EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

Here's https://vpn-gw.my-host.com/ssl-vpn/prelogin.esp content:

<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<license>yes</license>
<authentication-message>Wpisz login i hasło</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><cas-auth></cas-auth>
<saml-auth-status>0</saml-auth-status>
<saml-auth-method>REDIRECT</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>REMOVED_BY_ME</saml-request><auth-api>no</auth-api><region>PL</region>
</prelogin-response>

I'm using latest OpenConnect for my OS (Arch Linux);

$ openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.7.8. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script

I'm happy to provide you some more details if needed. Cheers!

EDIT There is a workaround: https://stackoverflow.com/a/72245418/2657875

stefancocora commented 1 year ago

This error is still happening. Started happening today after a system upgrade. A quick hint would help to know if this is related to the vpn gateway using old TLS chipers or something similar.

/usr/lib/gp-saml-gui/test-globalprotect-login.py --user=user_name --clientos=Linux -p '' https://vpn_gateway_url prelogin-cookie=pre_login_cookie

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='vpn_gateway_DNS_fqdn', port=443): Max retries exceeded with url: /ssl-vpn/login.esp (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/gp-saml-gui/test-globalprotect-login.py", line 81, in <module>
    res = s.post(endpoint.geturl(), verify=args.verify, data=data)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 635, in post
    return self.request("POST", url, data=data, json=json, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='vpn_gateway_DNS_fqdn', port=443): Max retries exceeded with url: /ssl-vpn/login.esp (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))

Pkg versions:

openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.8.0. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script

pacman -Q|ag gp-saml-gui-git                               
gp-saml-gui-git r70.f1fafba-1

openssl 3.0.8-1
openssl-1.1 1.1.1.t-1
python-pyopenssl 23.0.0-1
python-requests 2.28.2-1
michal-devel commented 1 year ago

@stefancocora What you need to do is to follow this workaround: https://stackoverflow.com/a/72245418/2657875

stefancocora commented 1 year ago

Thanks @michal-devel I've already followed the workaround and it works with a local openssl.conf file. I meant my previous post as a question and maybe help for the developer to remove this issue that is coming from some of the python libraries.