[04:58] <alkisg> No idea about this PPA's future, I only know it's there now...
[05:02] <lotuspsychje_> what about alkisg ?
[05:03] <alkisg> About the firefox PPA mentioned above
[05:03] <lotuspsychje> oh, i wasnt folowwing
[10:49] <mander> Hello, I need some help, this morning the audio output has suddenly disappeared, I can only see "Dummy Output". I tried to reinstall alsa and to add the line "options snd-hda-intel model=generic" at the end of alsa-base.conf with no luck, can you guys help me? I'm on ubuntu 22.04
[16:36] <dominique> Hello !   I need info or help about what appears to be related to OpenSSL 3.0 coming with Jammy 
[16:38] <lotuspsychje> dominique: please state your issue in the channel, so volunteers can help debug you better
[16:40] <dominique> Problem happens with python3 request module, used by a script we use to connect our Global Protect VPN.   
[16:41] <dominique> Using python3, >>> import requests
[16:41] <dominique> >>> import requests
[16:41] <dominique> >>> r = requests.get('
[16:42] <dominique> >>> r = requests.get('some_server_apparently_not_supporting_legacy_renegotiation')
[16:43] <dominique> Traceback (most recent call last):
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
[16:43] <dominique>     httplib_response = self._make_request(
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request
[16:43] <dominique>     self._validate_conn(conn)
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in _validate_conn
[16:43] <dominique>     conn.connect()
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect
[16:43] <dominique>     self.sock = ssl_wrap_socket(
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
[16:43] <dominique>     ssl_sock = _ssl_wrap_socket_impl(
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
[16:43] <dominique>     return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
[16:43] <dominique>   File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
[16:43] <dominique>     return self.sslsocket_class._create(
[16:43] <dominique>   File "/usr/lib/python3.10/ssl.py", line 1070, in _create
[16:43] <dominique>     self.do_handshake()
[16:43] <dominique>   File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
[16:43] <dominique>     self._sslobj.do_handshake()
[16:43] <dominique> ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)
[16:43] <dominique> During handling of the above exception, another exception occurred:
[16:43] <dominique> Traceback (most recent call last):
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
[16:43] <dominique>     resp = conn.urlopen(
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen
[16:43] <dominique>     retries = retries.increment(
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment
[16:43] <dominique>     raise MaxRetryError(_pool, url, error or ResponseError(cause))
[16:43] <dominique> urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='vpn-mtl.intelerad.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
[16:43] <dominique> During handling of the above exception, another exception occurred:
[16:43] <dominique> Traceback (most recent call last):
[16:43] <dominique>   File "<stdin>", line 1, in <module>
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
[16:43] <dominique>     return request('get', url, params=params, **kwargs)
[16:43] <dominique>   File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
[16:43] <dominique>     return session.request(method=method, url=url, **kwargs)
[16:44] <dominique>   File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
[16:44] <dominique>     resp = self.send(prep, **send_kwargs)
[16:44] <dominique>   File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
[16:44] <dominique>     r = adapter.send(request, **kwargs)
[16:44] <dominique>   File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
[16:44] <dominique>     raise SSLError(e, request=request)
[16:44] <dominique> requests.exceptions.SSLError: HTTPSConnectionPool(host='vpn-mtl.intelerad.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
[16:44] <dominique> >>> 
[16:44] <lotuspsychje> !paste | dominique 
[16:45] <dominique> oh !  sorry, first time here. 
[16:46] <lotuspsychje> dont worry dominique i should have mentioned it in the first place
[16:46] <Maik> no worries dominique :)
[16:47] <dominique> >>> import requests
[16:48] <dominique> >>> r = requests.get('https://vpn-mtl.intelerad.com')
[16:48] <dominique> Traceback (most recent call last):
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
[16:48] <dominique>     httplib_response = self._make_request(
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, in _make_request
[16:48] <dominique>     self._validate_conn(conn)
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, in _validate_conn
[16:48] <dominique>     conn.connect()
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect
[16:48] <dominique>     self.sock = ssl_wrap_socket(
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
[16:48] <dominique>     ssl_sock = _ssl_wrap_socket_impl(
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
[16:48] <dominique>     return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
[16:48] <dominique>   File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
[16:48] <dominique>     return self.sslsocket_class._create(
[16:48] <dominique>   File "/usr/lib/python3.10/ssl.py", line 1070, in _create
[16:48] <dominique>     self.do_handshake()
[16:48] <dominique>   File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
[16:48] <dominique>     self._sslobj.do_handshake()
[16:48] <dominique> ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)
[16:48] <dominique> During handling of the above exception, another exception occurred:
[16:48] <dominique> Traceback (most recent call last):
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
[16:48] <dominique>     resp = conn.urlopen(
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen
[16:48] <dominique>     retries = retries.increment(
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in increment
[16:48] <dominique>     raise MaxRetryError(_pool, url, error or ResponseError(cause))
[16:48] <dominique> urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='vpn-mtl.intelerad.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
[16:48] <dominique> During handling of the above exception, another exception occurred:
[16:48] <dominique> Traceback (most recent call last):
[16:48] <dominique>   File "<stdin>", line 1, in <module>
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
[16:48] <dominique>     return request('get', url, params=params, **kwargs)
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
[16:48] <dominique>     return session.request(method=method, url=url, **kwargs)
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
[16:48] <dominique>     resp = self.send(prep, **send_kwargs)
[16:48] <dominique>   File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
[16:49] <dominique>     r = adapter.send(request, **kwargs)
[16:49] <dominique>   File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
[16:49] <dominique>     raise SSLError(e, request=request)
[16:49] <dominique> requests.exceptions.SSLError: HTTPSConnectionPool(host='vpn-mtl.intelerad.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)')))
[16:49] <dominique> hummm.... 
[16:49] <dominique> oh got it.
[16:49] <dominique> here : https://paste.ubuntu.com/p/PRrQDgJm8y/
[16:50] <krytarik> dominique: Another accidental paste like this I'd avoid btw..
[16:52] <dominique> Got it.  That was the last.  I saw that big green "Copy to clipboard" button and, I didn't had any coffee yet.  
[16:55] <dominique> I did the exact same from a VM with Ubuntu 21.10.  No issue.  Python requests module is the same version, openssl is 1.1.1l (I think)
[16:56] <lotuspsychje> dominique: is this you? bug #1960268
[16:57] <dominique> no
[16:58] <lotuspsychje> i mean, does this affect your case
[16:58] <dominique> for linux users at our place, we use gp-saml-gui
[16:59] <dominique> https://github.com/dlenski/gp-saml-gui
[16:59] <lotuspsychje> not familiar with that myself
[17:01] <dominique> his script opens a browser from where we authenticate, on success it outputs a openconnect string we can use to open the VPN connection.
[17:01] <lotuspsychje> dominique: here's the list of most recent openssl bugs on ubuntu; https://bugs.launchpad.net/ubuntu/+source/openssl/+bugs?orderby=importance&start=0
[17:03] <lotuspsychje> dominique: if you dont feel, your bug is present there, you could consider filing a new !bug from a terminal; ubuntu-bug openssl
[17:03] <dominique> excellent
[17:04] <lotuspsychje> and share the bug ID here after, maybe more logs/info might be able to enlight your issue
[17:05] <dominique> Will do.  Found nothing about UNSAFE_LEGACY_RENEGOTIATION_DISABLED.   Cost nothing to open one and wee where it lands.
[17:05] <dominique> Thanks for the help.
[17:05] <lotuspsychje> welcome dominique 
[17:11] <tomreyn> i guess (have not checked) that openssl 3.0 disables / removes support for unsafe legacy renegotiation. earlier openssl releases still supported it, even though it was known to be unsafe.
[17:12] <tomreyn> and apparently the script you're using expects to be able to use unsafe legacy renegotiation, which would be why it would stop working with openssl 3.0
[17:12] <tomreyn> this is just a theory, though.
[17:14] <tomreyn> there are two forms of tls renegotiation - the old, 'legacy# , one, which ahs been proven to be weak / insecure. and a newer one, which is, so far, assumed to be safe to use. another option is not to renegotiate and just restart the connection, but this can be costly.
[17:15] <tomreyn> dominique: ^
[17:18] <tomreyn> see "Changes between 1.1.1 and 3.0.0 [7 sep 2021]" -> "Client-initiated renegotiation is disabled by default." at https://www.openssl.org/news/changelog.html
[17:42] <dominique> There is a section about renegotiation here https://www.openssl.org/docs/man3.0/man3/SSL_get_secure_renegotiation_support.html
[17:43] <dominique> I used ssllabs.com and could see that our server has renegotiation disabled.
[17:45] <dominique> from the openssl docs, it mentions that for "Patched OpenSSL client and unpatched server", options can be set.   
[17:47] <dominique> But I have no clue where SSL_OP_LEGACY_SERVER_CONNECT is set.  At compilation ?  From the module in code that calls openssl ?  
[18:54] <lotuspsychje> tnx for bug #1963834 dominique 
[18:55] <lotuspsychje> dominique: can you also run; apport-collect 1963834 from a terminal?