Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled #69

Open
michal-devel opened this issue Dec 28, 2022 · 3 comments
Open

gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled #69

michal-devel opened this issue Dec 28, 2022 · 3 comments

Comments

@michal-devel
Copy link

michal-devel commented Dec 28, 2022
edited
Loading

Hi Dan,

some time ago you helped me to set up gp-saml-gui. Now something has broken and I can't use openconnect any longer.

I have gp-saml-gui set up as follows:

gp-saml-gui --clientos=Windows --sudo-openconnect --gateway vpn-gw.my-host.com -- --csd-wrapper=/usr/lib/openconnect/hipreport.sh

Here's the exact error:

Looking for SAML auth tags in response to vpn-gw.my-host.com/ssl-vpn/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Linux,Windows}] [-f EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

Here's https://vpn-gw.my-host.com/ssl-vpn/prelogin.esp content:

<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<license>yes</license>
<authentication-message>Wpisz login i hasło</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><cas-auth></cas-auth>
<saml-auth-status>0</saml-auth-status>
<saml-auth-method>REDIRECT</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>REMOVED_BY_ME</saml-request><auth-api>no</auth-api><region>PL</region>
</prelogin-response>

I'm using latest OpenConnect for my OS (Arch Linux);

$ openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.7.8. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script

I'm happy to provide you some more details if needed.
Cheers!

EDIT
There is a workaround: https://stackoverflow.com/a/72245418/2657875
@stefancocora
Copy link

stefancocora commented Mar 21, 2023
edited
Loading

This error is still happening.
Started happening today after a system upgrade.
A quick hint would help to know if this is related to the vpn gateway using old TLS chipers or something similar.

/usr/lib/gp-saml-gui/test-globalprotect-login.py --user=user_name --clientos=Linux -p '' https://vpn_gateway_url prelogin-cookie=pre_login_cookie

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='vpn_gateway_DNS_fqdn', port=443): Max retries exceeded with url: /ssl-vpn/login.esp (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/gp-saml-gui/test-globalprotect-login.py", line 81, in <module>
    res = s.post(endpoint.geturl(), verify=args.verify, data=data)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 635, in post
    return self.request("POST", url, data=data, json=json, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='vpn_gateway_DNS_fqdn', port=443): Max retries exceeded with url: /ssl-vpn/login.esp (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))

Pkg versions:

openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.8.0. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script


pacman -Q|ag gp-saml-gui-git                               
gp-saml-gui-git r70.f1fafba-1

openssl 3.0.8-1
openssl-1.1 1.1.1.t-1
python-pyopenssl 23.0.0-1
python-requests 2.28.2-1

@michal-devel
Copy link
Author

@stefancocora
What you need to do is to follow this workaround: https://stackoverflow.com/a/72245418/2657875

@stefancocora
Copy link

Thanks @michal-devel
I've already followed the workaround and it works with a local openssl.conf file.
I meant my previous post as a question and maybe help for the developer to remove this issue that is coming from some of the python libraries.

@ajcasagrande ajcasagrande mentioned this issue Jan 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefancocora @michal-devel