Open doktorjw opened 11 months ago
Thanks for the report. I'm confused about why you need(ed) to do both (1) and (2).
As far as I can tell, --no-verify
alone should allow you to connect (insecurely) to a server with an expired cert.
Using the handy mal-configured test servers from https://badssl.com:
Fails:
$ ./gp_saml_gui.py untrusted-root.badssl.com
…
gp_saml_gui.py: error: SSL error (try --allow-insecure-crypto to ignore): ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])",)
Succeeds in establishing the initial TLS connection:
$ ./gp_saml_gui.py --no-verify untrusted-root.badssl.com
…
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'untrusted-root.badssl.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
…
(fails for a different reason, because this isn't actually a GP VPN server)
Can you give more details about what happens if you do add --no-verify
but don't modify the TLSManager
class?
I encounter this issue as well during my testing, after attempting to use the --no-verify
option as an alternative to the workaround in #69. I can confirm that the error goes away and I am able to connect after following OP's advice. Here are the logs:
Traceback (most recent call last):
File "/usr/bin/gp-saml-gui", line 8, in <module>
sys.exit(main())
^^^^^^
File "/usr/lib/python3.11/site-packages/gp_saml_gui.py", line 303, in main
res = s.post(endpoint, verify=args.verify, data=data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/requests/sessions.py", line 637, in post
return self.request("POST", url, data=data, json=json, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/requests/adapters.py", line 486, in send
resp = conn.urlopen(
^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
conn.connect()
File "/usr/lib/python3.11/site-packages/urllib3/connection.py", line 406, in connect
context.verify_mode = resolve_cert_reqs(self.cert_reqs)
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/ssl.py", line 742, in verify_mode
super(SSLContext, SSLContext).verify_mode.__set__(self, value)
ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.
FWIW, I just started encountering this issue today and had to apply both the fixes mentioned in the OP's post to get the app to work.
Ran into this when the company I am working for let a cert expire. I resolved it doing 2 things:
1) launching with --no-verify 2) modifying the init_poolmanager to add
ssl_context.check_hostname = False
after the set_ciphers (in gp_saml_gui.py).Works like a charm after that.