| alkisg | No idea about this PPA's future, I only know it's there now... | 04:58 |
|---|---|---|
| lotuspsychje_ | what about alkisg ? | 05:02 |
| === lotuspsychje_ is now known as lotuspsychje | ||
| alkisg | About the firefox PPA mentioned above | 05:03 |
| lotuspsychje | oh, i wasnt folowwing | 05:03 |
| mander | Hello, I need some help, this morning the audio output has suddenly disappeared, I can only see "Dummy Output". I tried to reinstall alsa and to add the line "options snd-hda-intel model=generic" at the end of alsa-base.conf with no luck, can you guys help me? I'm on ubuntu 22.04 | 10:49 |
| dominique | Hello ! I need info or help about what appears to be related to OpenSSL 3.0 coming with Jammy | 16:36 |
| lotuspsychje | dominique: please state your issue in the channel, so volunteers can help debug you better | 16:38 |
| dominique | Problem happens with python3 request module, used by a script we use to connect our Global Protect VPN. | 16:40 |
| dominique | Using python3, >>> import requests | 16:41 |
| dominique | >>> import requests | 16:41 |
| dominique | >>> r = requests.get(' | 16:41 |
| dominique | >>> r = requests.get('some_server_apparently_not_supporting_legacy_renegotiation') | 16:42 |
| dominique | Traceback (most recent call last): | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen | 16:43 |
| dominique | httplib_response = self._make_request( | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request | 16:43 |
| dominique | self._validate_conn(conn) | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in _validate_conn | 16:43 |
| dominique | conn.connect() | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect | 16:43 |
| dominique | self.sock = ssl_wrap_socket( | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket | 16:43 |
| dominique | ssl_sock = _ssl_wrap_socket_impl( | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl | 16:43 |
| dominique | return ssl_context.wrap_socket(sock, server_hostname=server_hostname) | 16:43 |
| dominique | File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket | 16:43 |
| dominique | return self.sslsocket_class._create( | 16:43 |
| dominique | File "/usr/lib/python3.10/ssl.py", line 1070, in _create | 16:43 |
| dominique | self.do_handshake() | 16:43 |
| dominique | File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake | 16:43 |
| dominique | self._sslobj.do_handshake() | 16:43 |
| dominique | ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997) | 16:43 |
| dominique | During handling of the above exception, another exception occurred: | 16:43 |
| dominique | Traceback (most recent call last): | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send | 16:43 |
| dominique | resp = conn.urlopen( | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen | 16:43 |
| dominique | retries = retries.increment( | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment | 16:43 |
| dominique | raise MaxRetryError(_pool, url, error or ResponseError(cause)) | 16:43 |
| dominique | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='vpn-mtl.intelerad.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)'))) | 16:43 |
| dominique | During handling of the above exception, another exception occurred: | 16:43 |
| dominique | Traceback (most recent call last): | 16:43 |
| dominique | File "<stdin>", line 1, in <module> | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get | 16:43 |
| dominique | return request('get', url, params=params, **kwargs) | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request | 16:43 |
| dominique | return session.request(method=method, url=url, **kwargs) | 16:43 |
| dominique | File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request | 16:44 |
| dominique | resp = self.send(prep, **send_kwargs) | 16:44 |
| dominique | File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send | 16:44 |
| dominique | r = adapter.send(request, **kwargs) | 16:44 |
| dominique | File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send | 16:44 |
| dominique | raise SSLError(e, request=request) | 16:44 |
| dominique | requests.exceptions.SSLError: HTTPSConnectionPool(host='vpn-mtl.intelerad.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)'))) | 16:44 |
| dominique | >>> | 16:44 |
| lotuspsychje | !paste | dominique | 16:44 |
| ubottu | dominique: For posting multi-line texts into the channel, please use https://paste.ubuntu.com | To post !screenshots use https://imgur.com/ !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic. | 16:44 |
| dominique | oh ! sorry, first time here. | 16:45 |
| lotuspsychje | dont worry dominique i should have mentioned it in the first place | 16:46 |
| Maik | no worries dominique :) | 16:46 |
| dominique | >>> import requests | 16:47 |
| dominique | >>> r = requests.get('https://vpn-mtl.intelerad.com') | 16:48 |
| dominique | Traceback (most recent call last): | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen | 16:48 |
| dominique | httplib_response = self._make_request( | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request | 16:48 |
| dominique | self._validate_conn(conn) | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in _validate_conn | 16:48 |
| dominique | conn.connect() | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect | 16:48 |
| dominique | self.sock = ssl_wrap_socket( | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket | 16:48 |
| dominique | ssl_sock = _ssl_wrap_socket_impl( | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl | 16:48 |
| dominique | return ssl_context.wrap_socket(sock, server_hostname=server_hostname) | 16:48 |
| dominique | File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket | 16:48 |
| dominique | return self.sslsocket_class._create( | 16:48 |
| dominique | File "/usr/lib/python3.10/ssl.py", line 1070, in _create | 16:48 |
| dominique | self.do_handshake() | 16:48 |
| dominique | File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake | 16:48 |
| dominique | self._sslobj.do_handshake() | 16:48 |
| dominique | ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997) | 16:48 |
| dominique | During handling of the above exception, another exception occurred: | 16:48 |
| dominique | Traceback (most recent call last): | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send | 16:48 |
| dominique | resp = conn.urlopen( | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen | 16:48 |
| dominique | retries = retries.increment( | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment | 16:48 |
| dominique | raise MaxRetryError(_pool, url, error or ResponseError(cause)) | 16:48 |
| dominique | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='vpn-mtl.intelerad.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)'))) | 16:48 |
| dominique | During handling of the above exception, another exception occurred: | 16:48 |
| dominique | Traceback (most recent call last): | 16:48 |
| dominique | File "<stdin>", line 1, in <module> | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get | 16:48 |
| dominique | return request('get', url, params=params, **kwargs) | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request | 16:48 |
| dominique | return session.request(method=method, url=url, **kwargs) | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request | 16:48 |
| dominique | resp = self.send(prep, **send_kwargs) | 16:48 |
| dominique | File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send | 16:48 |
| dominique | r = adapter.send(request, **kwargs) | 16:49 |
| dominique | File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send | 16:49 |
| dominique | raise SSLError(e, request=request) | 16:49 |
| dominique | requests.exceptions.SSLError: HTTPSConnectionPool(host='vpn-mtl.intelerad.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)'))) | 16:49 |
| dominique | hummm.... | 16:49 |
| dominique | oh got it. | 16:49 |
| dominique | here : https://paste.ubuntu.com/p/PRrQDgJm8y/ | 16:49 |
| krytarik | dominique: Another accidental paste like this I'd avoid btw.. | 16:50 |
| dominique | Got it. That was the last. I saw that big green "Copy to clipboard" button and, I didn't had any coffee yet. | 16:52 |
| dominique | I did the exact same from a VM with Ubuntu 21.10. No issue. Python requests module is the same version, openssl is 1.1.1l (I think) | 16:55 |
| lotuspsychje | dominique: is this you? bug #1960268 | 16:56 |
| ubottu | Bug 1960268 in openssl (Ubuntu) "SSL handshake failed - VPN SSL broken in 22.04" [Undecided, New] https://launchpad.net/bugs/1960268 | 16:56 |
| dominique | no | 16:57 |
| lotuspsychje | i mean, does this affect your case | 16:58 |
| dominique | for linux users at our place, we use gp-saml-gui | 16:58 |
| dominique | https://github.com/dlenski/gp-saml-gui | 16:59 |
| lotuspsychje | not familiar with that myself | 16:59 |
| dominique | his script opens a browser from where we authenticate, on success it outputs a openconnect string we can use to open the VPN connection. | 17:01 |
| lotuspsychje | dominique: here's the list of most recent openssl bugs on ubuntu; https://bugs.launchpad.net/ubuntu/+source/openssl/+bugs?orderby=importance&start=0 | 17:01 |
| lotuspsychje | dominique: if you dont feel, your bug is present there, you could consider filing a new !bug from a terminal; ubuntu-bug openssl | 17:03 |
| dominique | excellent | 17:03 |
| lotuspsychje | and share the bug ID here after, maybe more logs/info might be able to enlight your issue | 17:04 |
| dominique | Will do. Found nothing about UNSAFE_LEGACY_RENEGOTIATION_DISABLED. Cost nothing to open one and wee where it lands. | 17:05 |
| dominique | Thanks for the help. | 17:05 |
| lotuspsychje | welcome dominique | 17:05 |
| tomreyn | i guess (have not checked) that openssl 3.0 disables / removes support for unsafe legacy renegotiation. earlier openssl releases still supported it, even though it was known to be unsafe. | 17:11 |
| tomreyn | and apparently the script you're using expects to be able to use unsafe legacy renegotiation, which would be why it would stop working with openssl 3.0 | 17:12 |
| tomreyn | this is just a theory, though. | 17:12 |
| tomreyn | there are two forms of tls renegotiation - the old, 'legacy# , one, which ahs been proven to be weak / insecure. and a newer one, which is, so far, assumed to be safe to use. another option is not to renegotiate and just restart the connection, but this can be costly. | 17:14 |
| tomreyn | dominique: ^ | 17:15 |
| tomreyn | see "Changes between 1.1.1 and 3.0.0 [7 sep 2021]" -> "Client-initiated renegotiation is disabled by default." at https://www.openssl.org/news/changelog.html | 17:18 |
| dominique | There is a section about renegotiation here https://www.openssl.org/docs/man3.0/man3/SSL_get_secure_renegotiation_support.html | 17:42 |
| dominique | I used ssllabs.com and could see that our server has renegotiation disabled. | 17:43 |
| dominique | from the openssl docs, it mentions that for "Patched OpenSSL client and unpatched server", options can be set. | 17:45 |
| dominique | But I have no clue where SSL_OP_LEGACY_SERVER_CONNECT is set. At compilation ? From the module in code that calls openssl ? | 17:47 |
| lotuspsychje | tnx for bug #1963834 dominique | 18:54 |
| ubottu | Bug 1963834 in openssl (Ubuntu) "openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]" [Undecided, New] https://launchpad.net/bugs/1963834 | 18:54 |
| lotuspsychje | dominique: can you also run; apport-collect 1963834 from a terminal? | 18:55 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!