TLSAdapter bugfixes - Githubissues

dlenski / gp-saml-gui

Interactively authenticate to GlobalProtect VPNs that require SAML

GNU General Public License v3.0

293 stars 66 forks source link

TLSAdapter bugfixes #96

Closed mildsunrise closed 4 months ago

mildsunrise commented 4 months ago

when the --allow-insecure-ciphers option is used, we register our own HTTPAdapter which overrides the ssl_context used by connections.

we need to do this in order to control the options and ciphers, but this bypasses the urllib3's create_urllib3_context logic, which leads to some features not working when --allow-insecure-ciphers is in place.

this PR replicates some of that logic to fix it; see each commit for explanation and references.

dlenski commented 4 months ago

Thank you @mildsunrise, this is great. I believe a78357e0260af05689ee8be10cb64d75bfb7f248 will also fix #83.

For a (partial) explanation of why getting all of the TLS tweaks right in gp-saml-gui is hard, see https://github.com/dlenski/gp-saml-gui/issues/55#issuecomment-1233293573. Basically, we have to both adjust TLS in the webview and adjust it in the OpenConnect params :dizzy_face:

mildsunrise commented 4 months ago

yeah, it's frustrating that we can't make webkitgtk use python's TLS stack...