openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Description: Ubuntu Jammy Jellyfish (development branch)
Release: 22.04
openssl:
Installé : 3.0.1-0ubuntu1
Candidat : 3.0.1-0ubuntu1
Table de version :
*** 3.0.1-0ubuntu1 500
500 http://
100 /var/lib/
Using Ubuntu 22.04, I now get the following error message when attempting to connect to our office VPN using "gp-saml-gui (https:/
#########
dominique@
Looking for SAML auth tags in response to https:/
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,
gp-saml-gui: error: SSL error: [SSL: UNSAFE_
#########
#########
#########
gp-saml-gui uses python module requests.
Using python ide, I can get the same results :
#########
>>> r = requests.get('https:/
Traceback (most recent call last):
File "/usr/lib/
httplib_
File "/usr/lib/
self.
File "/usr/lib/
conn.connect()
File "/usr/lib/
self.sock = ssl_wrap_socket(
File "/usr/lib/
ssl_sock = _ssl_wrap_
File "/usr/lib/
return ssl_context.
File "/usr/lib/
return self.sslsocket_
File "/usr/lib/
self.
File "/usr/lib/
self.
ssl.SSLError: [SSL: UNSAFE_
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/
resp = conn.urlopen(
File "/usr/lib/
retries = retries.increment(
File "/usr/lib/
raise MaxRetryError(
urllib3.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
return request('get', url, params=params, **kwargs)
File "/usr/lib/
return session.
File "/usr/lib/
resp = self.send(prep, **send_kwargs)
File "/usr/lib/
r = adapter.
File "/usr/lib/
raise SSLError(e, request=request)
requests.
#########
#########
#########
I believe in OpenSSL 3.0 that SSL_OP_
I can't tell what should be done here. Is there something I can do to allow enable "SSL_OP_
CVE References
tags: | added: openssl3 |
It looks like this was added in:
https:/ /github. com/openssl/ openssl/ commit/ 72d2670bd21becf a6a64bb03fa55ad 82d6d0c0f3
in order to address servers that have not yet been updated for CVE-2009-3555.
It's possible to add a flag at the C level to connect insecurely, SSL_OP_ LEGACY_ SERVER_ CONNECT, but I don't see this added to python:
https:/ /bugs.python. org/issue44888 /github. com/python/ cpython/ pull/27776
https:/
Thus it might not be easily reachable from Python programs.
Best would be to update the remote server to address CVE-2009-3555 (it might also be known as "support RFC 5746"). I'm not sure what to suggest for programs written in Python.
Thanks