Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow legacy renegotiation, and failing redirect detection #126

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Allow legacy renegotiation, and failing redirect detection #126

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
913e382
Allow legacy connect, which is not the default in OpenSSL 3.0.
danchr Aug 4, 2023
2840165
Don't fail, but issue a warning when detecting redirect fails
danchr Feb 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 35 additions & 3 deletions openconnect_sso/authenticator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
import requests
import structlog
from lxml import etree, objectify
import ssl
from requests import adapters
import urllib3

from openconnect_sso.saml_authenticator import authenticate_in_browser

Expand Down Expand Up @@ -55,9 +58,13 @@ async def authenticate(self, display_mode):
def _detect_authentication_target_url(self):
# Follow possible redirects in a GET request
# Authentication will occur using a POST request on the final URL
response = requests.get(self.host.vpn_url)
response.raise_for_status()
self.host.address = response.url
try:
response = self.session.get(self.host.vpn_url)
response.raise_for_status()
self.host.address = response.url
except Exception:
logger.warn("Failed to check for redirect")
self.host.address = self.host.vpn_url
logger.debug("Auth target url", url=self.host.vpn_url)

def _start_authentication(self):
Expand Down Expand Up @@ -90,8 +97,33 @@ class AuthResponseError(AuthenticationError):
pass


class AllowLegacyRenegotionAdapter(adapters.HTTPAdapter):
"""“Transport adapter” that allows us to use legacy renogation.

Such renegotiation is disabled by default in OpenSSL 3.0. This
suppresses errors such as:

SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe
legacy renegotiation disabled (_ssl.c:992)')

"""

def init_poolmanager(self, connections, maxsize, block=False):
ctx = urllib3.util.ssl_.create_urllib3_context()
ctx.load_default_certs()
ctx.options |= 0x4 # ssl.OP_LEGACY_SERVER_CONNECT

self.poolmanager = urllib3.PoolManager(
ssl_context=ctx,
num_pools=connections,
maxsize=maxsize,
block=block,
)


def create_http_session(proxy, version):
session = requests.Session()
session.mount("https://", AllowLegacyRenegotionAdapter())
session.proxies = {"http": proxy, "https": proxy}
session.headers.update(
{
Expand Down