Can we reopen this and potentially backport OpenSSL 3.0.5 from kinetic to jammy?
The "UnsafeLegacyServerConnect" option was mentioned above in #3. Unfortunately, that option was documented but not implemented in the 3.0.2 OpenSSL release available in the jammy repos. (See https://github.com/openssl/openssl/pull/18296) Enabling UnsafeLegacyRenegotiation is not acceptable and shouldn't be done. This is actually less secure than version 1.1.1 (which is what the previous LTS focal has available) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1963834 Title: openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] Status in openssl package in Ubuntu: Won't Fix Bug description: Description: Ubuntu Jammy Jellyfish (development branch) Release: 22.04 openssl: Installé : 3.0.1-0ubuntu1 Candidat : 3.0.1-0ubuntu1 Table de version : *** 3.0.1-0ubuntu1 500 500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages 100 /var/lib/dpkg/status Using Ubuntu 22.04, I now get the following error message when attempting to connect to our office VPN using "gp-saml-gui (https://github.com/dlenski/gp-saml-gui)" : ######### dominique@Doombuntu:~$ .local/bin/gp-saml-gui server_url Looking for SAML auth tags in response to https://server_url/global-protect/prelogin.esp... usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f EXTRA] server [openconnect_extra ...] gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997) ######### ######### ######### gp-saml-gui uses python module requests. Using python ide, I can get the same results : ######### >>> r = requests.get('https://server_url') Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen httplib_response = self._make_request( File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request self._validate_conn(conn) File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in _validate_conn conn.connect() File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect self.sock = ssl_wrap_socket( File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl( File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket return self.sslsocket_class._create( File "/usr/lib/python3.10/ssl.py", line 1070, in _create self.do_handshake() File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send resp = conn.urlopen( File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen retries = retries.increment( File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)'))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send r = adapter.send(request, **kwargs) File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='server_url', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)'))) ######### ######### ######### I believe in OpenSSL 3.0 that SSL_OP_LEGACY_SERVER_CONNECT is now disabled by default, as opposed to the version used in earlier Ubuntu versions (tested to work fine with 20.04 and 21.10). I can't tell what should be done here. Is there something I can do to allow enable "SSL_OP_LEGACY_SERVER_CONNECT" for this connection ? Can something be done in the python module, or does this require a change in or parameter or config to be set in OpenSSL ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
