[Bug 1963834] Re: openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Simon Chopin
1963834 at bugs.launchpad.net
Thu Mar 10 10:51:47 UTC 2022
To be clear, the root issue is that the server is using an outdated,
insecure protocol that has been deemed so for more than a decade, and
OpenSSL finally decided to disable it by default. The "proper" way to
fix this would be for them to upgrade.
Now, that being said, we live in the real world and our users probably
don't have the power to make this decision.
I really don't understand why the upstream Python PR has been closed,
it'd have made our lives easier. We *could* carry the patch in our
Python 3.10 package, but that's just moving the problem, as our more
technical users would have this escape hatch but the others would still
be left out.
I'll get in touch with OpenSSL upstream to see if it's conceivable to
expose this flag as a configuration option.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834
Title:
openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Status in openssl package in Ubuntu:
New
Bug description:
Description: Ubuntu Jammy Jellyfish (development branch)
Release: 22.04
openssl:
Installé : 3.0.1-0ubuntu1
Candidat : 3.0.1-0ubuntu1
Table de version :
*** 3.0.1-0ubuntu1 500
500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
100 /var/lib/dpkg/status
Using Ubuntu 22.04, I now get the following error message when
attempting to connect to our office VPN using "gp-saml-gui
(https://github.com/dlenski/gp-saml-gui)" :
#########
dominique at Doombuntu:~$ .local/bin/gp-saml-gui server_url
Looking for SAML auth tags in response to https://server_url/global-protect/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)
#########
#########
#########
gp-saml-gui uses python module requests.
Using python ide, I can get the same results :
#########
>>> r = requests.get('https://server_url')
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1070, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='server_url', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
#########
#########
#########
I believe in OpenSSL 3.0 that SSL_OP_LEGACY_SERVER_CONNECT is now
disabled by default, as opposed to the version used in earlier Ubuntu
versions (tested to work fine with 20.04 and 21.10).
I can't tell what should be done here. Is there something I can do to
allow enable "SSL_OP_LEGACY_SERVER_CONNECT" for this connection ? Can
something be done in the python module, or does this require a change
in or parameter or config to be set in OpenSSL ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/+subscriptions
More information about the foundations-bugs
mailing list