search

vlaci / openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs
GNU General Public License v3.0
278 stars 117 forks source link

Fix for Disabled Unsafe Negotiation #139

Open 5had3z opened 10 months ago

5had3z commented 10 months ago

When pip installing the standard package I get the below error when self.sesison is used or at _detect_authentication_target_url(). After a bit of searching I found this which resolves the issue for me for connecting to my institution's VPN. I'm running on ubuntu 22.04 w/ python3.10, urllib3=1.26.16, requests=2.31.0. 

openconnect-sso -s vpn.foo.bar
[info     ] Authenticating to VPN endpoint [openconnect_sso.app] address=vpn.foo.bar name=
Traceback (most recent call last):
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 714, in urlopen
    httplib_response = self._make_request(
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 403, in _make_request
    self._validate_conn(conn)
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1053, in _validate_conn
    conn.connect()
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/home/bryce/.local/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1007)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
.......
line 87, in _start_authentication
    response = self.session.post(self.host.vpn_url, request)

-------OR-------
Traceback (most recent call last):
...
line 42, in authenticate
    self._detect_authentication_target_url()
danchr commented 10 months ago

For what it's worth, this is essentially a duplicate of #126, which does the same, but in a slightly different manner. The root cause is OpenSSL 3 disabling legacy renegotiation by default, I believe.