Cannot set verify_mode to CERT_NONE when check_hostname is enabled.

[doktorjw]

Ran into this when the company I am working for let a cert expire. I resolved it doing 2 things:

1) launching with --no-verify 2) modifying the init_poolmanager to add ssl_context.check_hostname = False after the set_ciphers (in gp_saml_gui.py).

Works like a charm after that.

[dlenski]

Thanks for the report. I'm confused about why you need(ed) to do both (1) and (2).

As far as I can tell, --no-verify alone should allow you to connect (insecurely) to a server with an expired cert.

Using the handy mal-configured test servers from https://badssl.com:

Fails:

$ ./gp_saml_gui.py untrusted-root.badssl.com
…
gp_saml_gui.py: error: SSL error (try --allow-insecure-crypto to ignore): ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])",)

Succeeds in establishing the initial TLS connection:

$ ./gp_saml_gui.py --no-verify untrusted-root.badssl.com
…
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made to host 'untrusted-root.badssl.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
…
(fails for a different reason, because this isn't actually a GP VPN server)

Can you give more details about what happens if you do add --no-verify but don't modify the TLSManager class?

[ajcasagrande]

I encounter this issue as well during my testing, after attempting to use the --no-verify option as an alternative to the workaround in #69. I can confirm that the error goes away and I am able to connect after following OP's advice. Here are the logs:

Traceback (most recent call last):
  File "/usr/bin/gp-saml-gui", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/lib/python3.11/site-packages/gp_saml_gui.py", line 303, in main
    res = s.post(endpoint, verify=args.verify, data=data)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/requests/sessions.py", line 637, in post
    return self.request("POST", url, data=data, json=json, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/requests/adapters.py", line 486, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
                       ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.11/site-packages/urllib3/connection.py", line 406, in connect
    context.verify_mode = resolve_cert_reqs(self.cert_reqs)
    ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 742, in verify_mode
    super(SSLContext, SSLContext).verify_mode.__set__(self, value)
ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.

[huang-jy]

FWIW, I just started encountering this issue today and had to apply both the fixes mentioned in the OP's post to get the app to work.