Public bug reported:
Description: Ubuntu Jammy Jellyfish (development branch)
Release: 22.04
openssl:
Installé : 3.0.1-0ubuntu1
Candidat : 3.0.1-0ubuntu1
Table de version :
*** 3.0.1-0ubuntu1 500
500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
100 /var/lib/dpkg/status
Using Ubuntu 22.04, I now get the following error message when
attempting to connect to our office VPN using "gp-saml-gui
(https://github.com/dlenski/gp-saml-gui)" :
#########
dominique@Doombuntu:~$ .local/bin/gp-saml-gui server_url
Looking for SAML auth tags in response to
https://server_url/global-protect/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT]
[--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f
EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
unsafe legacy renegotiation disabled (_ssl.c:997)
#########
#########
#########
gp-saml-gui uses python module requests.
Using python ide, I can get the same results :
#########
>>> r = requests.get('https://server_url')
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in
urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in
_make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012,
in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in
connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in
ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in
_ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1070, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy
renegotiation disabled (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in
urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in
increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
'[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation
disabled (_ssl.c:997)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='server_url', port=443):
Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL:
UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled
(_ssl.c:997)')))
#########
#########
#########
I believe in OpenSSL 3.0 that SSL_OP_LEGACY_SERVER_CONNECT is now
disabled by default, as opposed to the version used in earlier Ubuntu
versions (tested to work fine with 20.04 and 21.10).
I can't tell what should be done here. Is there something I can do to
allow enable "SSL_OP_LEGACY_SERVER_CONNECT" for this connection ? Can
something be done in the python module, or does this require a change in
or parameter or config to be set in OpenSSL ?
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834
Title:
openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Status in openssl package in Ubuntu:
New
Bug description:
Description: Ubuntu Jammy Jellyfish (development branch)
Release: 22.04
openssl:
Installé : 3.0.1-0ubuntu1
Candidat : 3.0.1-0ubuntu1
Table de version :
*** 3.0.1-0ubuntu1 500
500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
100 /var/lib/dpkg/status
Using Ubuntu 22.04, I now get the following error message when
attempting to connect to our office VPN using "gp-saml-gui
(https://github.com/dlenski/gp-saml-gui)" :
#########
dominique@Doombuntu:~$ .local/bin/gp-saml-gui server_url
Looking for SAML auth tags in response to
https://server_url/global-protect/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT]
[--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f
EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
unsafe legacy renegotiation disabled (_ssl.c:997)
#########
#########
#########
gp-saml-gui uses python module requests.
Using python ide, I can get the same results :
#########
>>> r = requests.get('https://server_url')
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699,
in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382,
in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012,
in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in
connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in
ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in
_ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1070, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy
renegotiation disabled (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in
send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755,
in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in
increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
'[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation
disabled (_ssl.c:997)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in
send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in
send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='server_url',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
'[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation
disabled (_ssl.c:997)')))
#########
#########
#########
I believe in OpenSSL 3.0 that SSL_OP_LEGACY_SERVER_CONNECT is now
disabled by default, as opposed to the version used in earlier Ubuntu
versions (tested to work fine with 20.04 and 21.10).
I can't tell what should be done here. Is there something I can do to
allow enable "SSL_OP_LEGACY_SERVER_CONNECT" for this connection ? Can
something be done in the python module, or does this require a change
in or parameter or config to be set in OpenSSL ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
