-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ubuntu 22.04 SSL isssue #42
Comments
Thanks @suoko. Does |
Also, I suppose the following might help as per python/cpython#27776 (comment): ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ctx.options |= 0x4 According to psf/requests#2118 (comment):
|
This is the same root cause as #37. |
@DimitriPapadopoulos, that looks great. Does anyone have a publicly-known server that does insecure renegotiation that I can test again? (Doesn't need to be a GP VPN, almost any TLS server that does insecure renegotiation and HTTPS queries should be okay.) @suoko, @doiiue, @larowlan… maybe you can test this patch as suggested by Dimitri? |
Running the code from that branch does not fix the issue for me (on Fedora 36). Neither does the |
@Lalufu This ticket was initially about Ubuntu 22.04. There may be other reasons for the failure on Fedora 36 – either different or additional reasons. Without a log or at least a few error messages, it's hard to tell. if the |
@Lalufu Does #30 (comment) help in your case? sudo update-crypto-policies --set LEGACY |
On Mon, May 16, 2022 at 05:36:33AM -0700, Dimitri Papadopoulos Orfanos wrote:
@lalafu This ticket was initially about Ubuntu 22.04. There may be other reasons for the failure on Fedora 36 – either different or additional reasons. Without a log or at least a few error messages, it's hard to tell. if the `~/ssl.conf` trick doesn't work for you, chances are it's a different issue. And if so, I wonder whether it would make sense to open a different ticket.
I'm pretty sure it's the same issue, as it presents the same error
message for the same reason (Fedora 36 now ships OpenSSL 3.0). The
config change needs to be made at a slightly different place, but using
`Options = UnsafeLegacyRenegotiation` does fix it once you've found the
right file to put it in.
|
So the |
On Mon, May 16, 2022 at 05:40:41AM -0700, Dimitri Papadopoulos Orfanos wrote:
@Lalufu Does #30 (comment) help in your case?
```sh
sudo update-crypto-policies --set LEGACY
```
It does not.
What I did (and what solved the issue) was following
https://ask.fedoraproject.org/t/cannot-connect-to-wpa2-enterprise-university-wifi-eduroam-on-fedora-36/20288/5
which advises to put
```
Options = UnsafeLegacyRenegotiation
```
into the `[crypto_policy]` section of `/etc/pki/tls/openssl.cnf`. So
basically the same thing as the `ssl.conf` above, just in a different
place (openssl config files being the nightmare that they are)
|
On Mon, May 16, 2022 at 05:45:58AM -0700, Dimitri Papadopoulos Orfanos wrote:
> The config change needs to be made at a slightly different place, but using
`Options = UnsafeLegacyRenegotiation` does fix it once you've found the
right file to put it in.
So the `~/ssl.conf` trick does work for you, doesn't it? If so, what's the exact difference between Ubuntu 22.04 and Fedora 36? If not, what's the "right file"?
It does not work as presented above. Preparing a `~/ssl.conf` and
calling the program with the `OPENSSL_CONF` env var pointing towards it
does not solve the issue on F36 (at least for me).
Putting `Options = UnsafeLegacyRenegotiation` into the `[crypto_policy]`
section of `/etc/pki/tls/openssl.cnf` does.
Ultimately those two do the same thing, re-enabling unsafe
renegotiaton, per-process on Ubuntu and system wide on Fedora. I'm sure
there is a way to the per-process thing on Fedora as well, but I don't
know how.
|
Thanks for testing that patch @Lalufu. Hrm. This is extremely frustrating, because we know there's a (relatively trivial) shared cause of the issues here: OpenSSL is refusing to connect to servers that use "unsafe legacy renegotiation." What we need is a consistent and reliable mechanism to (re)enable that unsafe legacy renegotiation in the library. That's going to be very hard to test for without a server that exhibits it. If anyone has one that they can share here (or even email me in private) that'd be helpful…
|
I've been using gp-saml-gui for a couple of years, and I have always had the same issue. Instead of dealing with config files, I just add the following line at the beginning of gp_saml_gui.py and test-globalprotect-login.py: Actually, I didn't read the whole thing. My issue is a different one, I get the following error if I don't include that line: |
@Legimet, interesting. Looks like you've run into (yet another) way in which VPN servers can have old/bad/insecure crypto. 🤦♂️ As I wrote in https://github.com/dlenski/gp-saml-gui/issues/37#issuecomment-1063514658…
Actually, that was too optimistic. Between Python In (^ @dwmw2 may be interested in this) |
Perhaps the workarounds could be documented in the README or a wiki page, in this project or the OpenConnect documentation:
I thought the An alternative to modifying the system configuration file @Legimet Can you confirm that both the So far, it appears the following might work to connect to insecure legacy VPN gateways:
I would suggest adding an In any case, it might be worth trying to catch errors caused by legacy insecure servers and print an error message with suggestions. |
I'm on Ubuntu 22.04. Which exact issue can I reproduce with |
There are different kinds of insecure negotiations. Does this VPN server reproduce the initial issue reported on Ubuntu 22.04? |
Good new, dlenski/what-vpn#19 appears to be working around the SSL errors of Before the patch:
After the patch:
By the way,
And it also helps confirm that the new option
Thank you for providing |
@suoko Does it work better for you on Ubuntu 22.04 with option @Legimet I believe #48 will work around not only the unsafe legacy renegotiation case reported by @suoko, but also the weak Diffie-Hellman key exchange size case reported by you. Can you give it a try? @Lalufu If #48 doesn't work for you on Fedora 36, please open a new issue. |
On Sat, Jun 11, 2022 at 11:10:51AM -0700, Dimitri Papadopoulos Orfanos wrote:
@suoko Does it work better for you on Ubuntu 22.04 with option `--allow-insecure-crypto` introduced in #48? Please give this branch a try:
https://github.com/DimitriPapadopoulos/gp-saml-gui/tree/insecure_crypto
That URL 404's for me
…--
"If the idea of a protocol behaving like a rabid, diseased, sex-crazed
bunny rabbit appeals to you, AppleTalk is for you."
-- John Kennedy, in comp.dcom.sys.cisco
|
@Lalufu Yes, that branch has been merged. Just test the latest version from the |
On Sun, Jun 12, 2022 at 01:18:45PM -0700, Dimitri Papadopoulos Orfanos wrote:
@Lalufu Yes, that branch has been merged. Just test the latest version from the `master` branch.
I can confirm that the master branch with --allow-insecure-crypto works
on F36 without having to change global SSL parameters.
|
If you have problems check this:
at https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834
The text was updated successfully, but these errors were encountered: