[Bug 1963834] Re: openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]

Matthew Geier 1963834 at bugs.launchpad.net
Wed Apr 27 01:45:20 UTC 2022 

It's a bit of an 'own goal' if this gets marked as 'won't fix'. As students upgrade to 22.04 where I work they will find they can't connect to the institutions or research centre wireless network. They won't care that the SSL change is protecting them from an old SSL bug, they will just come back 'it works in windows but not Ubuntu'. 
Central IT services who run the wireless will just shrug and say 'Linux not supported'.
Need to make it easier to find how to turn on the Legacy insecure mode.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834

Title:
  openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]

Status in openssl package in Ubuntu:
  Won't Fix

Bug description:
  Description:    Ubuntu Jammy Jellyfish (development branch)
  Release:        22.04

  openssl:
    Installé : 3.0.1-0ubuntu1
    Candidat : 3.0.1-0ubuntu1
   Table de version :
   *** 3.0.1-0ubuntu1 500
          500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
          100 /var/lib/dpkg/status

  Using Ubuntu 22.04, I now get the following error message when
  attempting to connect to our office VPN using "gp-saml-gui
  (https://github.com/dlenski/gp-saml-gui)" :

  #########
  dominique at Doombuntu:~$ .local/bin/gp-saml-gui  server_url
  Looking for SAML auth tags in response to https://server_url/global-protect/prelogin.esp...
  usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f EXTRA] server [openconnect_extra ...]
  gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)
  #########
  #########
  #########

  gp-saml-gui uses python module requests.
  Using python ide, I can get the same results  :

  #########
  >>> r = requests.get('https://server_url')
  Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
      httplib_response = self._make_request(
    File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request
      self._validate_conn(conn)
    File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in _validate_conn
      conn.connect()
    File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect
      self.sock = ssl_wrap_socket(
    File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
      ssl_sock = _ssl_wrap_socket_impl(
    File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
      return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
    File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
      return self.sslsocket_class._create(
    File "/usr/lib/python3.10/ssl.py", line 1070, in _create
      self.do_handshake()
    File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
      self._sslobj.do_handshake()
  ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
      resp = conn.urlopen(
    File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen
      retries = retries.increment(
    File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment
      raise MaxRetryError(_pool, url, error or ResponseError(cause))
  urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
      return request('get', url, params=params, **kwargs)
    File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
      return session.request(method=method, url=url, **kwargs)
    File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
      resp = self.send(prep, **send_kwargs)
    File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
      r = adapter.send(request, **kwargs)
    File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
      raise SSLError(e, request=request)
  requests.exceptions.SSLError: HTTPSConnectionPool(host='server_url', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
  #########
  #########
  #########

  I believe in OpenSSL 3.0 that SSL_OP_LEGACY_SERVER_CONNECT is now
  disabled by default, as opposed to the version used in earlier Ubuntu
  versions (tested to work fine with 20.04 and 21.10).

  I can't tell what should be done here.  Is there something I can do to
  allow enable "SSL_OP_LEGACY_SERVER_CONNECT" for this connection ?  Can
  something be done in the python module, or does this require a change
  in or parameter or config to be set in OpenSSL ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/+subscriptions

More information about the foundations-bugs mailing list