search

vlaci / openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs
GNU General Public License v3.0
280 stars 119 forks source link

ssl UNSAFE_LEGACY_RENEGOTIATION_DISABLED unsafe legacy renegotiation disabled #81

Open smoser opened 2 years ago

smoser commented 2 years ago

I hit the error below today after an upgrade to Ubuntu 22.04 with newer openssl (3.0.2).

$ openconnect-sso --server=my.company.endpoint.com/ssl
[info     ] Authenticating to VPN end
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1040, in _validate_conn
    conn.connect()
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "openconnect-sso/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1070, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

I poked for a little bit on trying a python code stackoverflow suggestion but was not successful.

The fix I found was from launchpad bug 1963834 with more information on openssl-users ml. Thanks to @hallyn for helping to find it.

Here it is for anyone interested:

$ cat ./my-ssl.conf
openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

$ export OPENSSL_CONF="./my-ssl.conf"
$ openconnect-sso --server=....
lucashtc commented 2 years ago

This solves the error in the console, but when opening the browser it does not load, the browser is blank

lucashtc commented 2 years ago

I managed to solve the white page problem using

QTWEBENGINE_DISABLE_SANDBOX=1 OPENSSL_CONF=~/ssl.conf openconnect-sso -s vpnxxxxx.com.br

hennr commented 1 year ago

Using pyqt6 binding does also fix the white page that the browser shows. See #86

ElectricRCAircraftGuy commented 1 year ago

Thank you @smoser and @lucashtc . Your solutions solved it for me and got me unblocked on Ubuntu 22.04 when following my own instructions here: How to use "openconnect" (via the openconnect-sso wrapper) with SAML and Duo two-factor authentication via Okta Single-Sign-on (SSO).

For anyone who needs more-explicit instructions, here's how I'd do it:

  1. Create a ~/.my_ssl.conf file:

    gedit ~/.my_ssl.conf

    Then paste the following into it:

    # Custom configuration to solve some problems while using `openconnect-sso` in Ubuntu 22.04.
# See: https://github.com/vlaci/openconnect-sso/issues/81#issuecomment-1363355533

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

    Save it and close it.

  2. Then run this:

    VPN_SERVER_ADDRESS="myvpn.whatever.com"   # example server address to connect to
VPN_SAML_GROUP="whatever-saml-whatever"   # example SAML group name
VPN_USER="my.username@something.com"      # example username
# or perhaps just this for the username:
# VPN_USER="my.username"

QTWEBENGINE_DISABLE_SANDBOX=1 OPENSSL_CONF=~/.my_ssl.conf openconnect-sso \
    --server "${VPN_SERVER_ADDRESS}/${VPN_SAML_GROUP}" --user "${VPN_USER}"

    Note that instead of calling QTWEBENGINE_DISABLE_SANDBOX=1 OPENSSL_CONF=~/.my_ssl.conf openconnect-sso ..., you can also place those passed-in variables into your ~/.bashrc file. export is required for those, but not for the VPN* variables I set above.

    Add to the bottom of your ~/.bashrc file:

    # Custom configuration to solve some problems while using `openconnect-sso` in Ubuntu 22.04.
# See: https://github.com/vlaci/openconnect-sso/issues/81#issuecomment-1363355533
export QTWEBENGINE_DISABLE_SANDBOX=1
export OPENSSL_CONF=~/.my_ssl.conf

VPN_SERVER_ADDRESS="myvpn.whatever.com"   # example server address to connect to
VPN_SAML_GROUP="whatever-saml-whatever"   # example SAML group name
VPN_USER="my.username@something.com"      # example username
# or perhaps just this for the username:
# VPN_USER="my.username"

    Now log out of Ubuntu and log back in, or re-source your ~/.bashrc file:

    . ~/.bashrc

    Then you can just run openconnect-sso without those leading variables:

    openconnect-sso --server "${VPN_SERVER_ADDRESS}/${VPN_SAML_GROUP}" --user "${VPN_USER}"

.my_ssl.conf is part of my eRCaGuy_dotfiles repo now too.

Thanks for your help on this!