openconnect-sso icon indicating copy to clipboard operation
openconnect-sso copied to clipboard

Published 20 hours ago verified publisher icon vlaci

Allow legacy renegotiation, and failing redirect detection

Open danchr opened this issue 2 years ago • 6 comments

When trying out OpenConnect SSO on my Mac using OpenSSL 3, I get the follow error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:992)')))

I addressed this by using setting the relevant flag on the SSL context. In addition, the redirect detection seemed to fail, so I suppressed the error and issued a warning instead. With those changes, I was able to connect to the VPN in question.

(This is replacement for #124 that targets master. I haven't actually tested this branch, as I don't have PyQt6 installed at the moment.)

Fixes #81.

danchr avatar Mar 08 '23 12:03 danchr

Why do you need to set verify=False for the redirect detection?

vlaci avatar Jul 14 '23 15:07 vlaci

Why do you need to set verify=False for the redirect detection?

To be honest, I don't remember the details… I tried again, and it seems to work without it, so I've dropped the change 🙂

danchr avatar Aug 04 '23 18:08 danchr

Could you take another look at this one, @vlaci? It'd be great to get it in 🙂

danchr avatar Oct 05 '23 08:10 danchr

I also received this error. I fixed it with your patch. It would be nice if this were merged.

chizhanov avatar Mar 18 '24 20:03 chizhanov

This problem is definitely related to https://github.com/urllib3/urllib3/issues/2653

chizhanov avatar Mar 18 '24 22:03 chizhanov

@vlaci This PR is quite old — could you perhaps review it?

danchr avatar May 14 '25 10:05 danchr