Allow legacy renegociation

vlaci#126
enadeau · Jun 20, 2024 · 8ea202e · 8ea202e
1 parent 9412807
commit 8ea202e
Showing 1 changed file with 35 additions and 3 deletions.
diff --git a/openconnect_sso/authenticator.py b/openconnect_sso/authenticator.py
@@ -2,6 +2,9 @@
 import requests
 import structlog
 from lxml import etree, objectify
+import ssl
+from requests import adapters
+import urllib3
 
 from openconnect_sso.saml_authenticator import authenticate_in_browser
 
@@ -55,9 +58,13 @@ async def authenticate(self, display_mode):
     def _detect_authentication_target_url(self):
         # Follow possible redirects in a GET request
         # Authentication will occur using a POST request on the final URL
-        response = requests.get(self.host.vpn_url)
-        response.raise_for_status()
-        self.host.address = response.url
+        try:
+            response = self.session.get(self.host.vpn_url)
+            response.raise_for_status()
+            self.host.address = response.url
+        except Exception:
+            logger.warn("Failed to check for redirect")
+            self.host.address = self.host.vpn_url
         logger.debug("Auth target url", url=self.host.vpn_url)
 
     def _start_authentication(self):
@@ -90,8 +97,33 @@ class AuthResponseError(AuthenticationError):
     pass
 
 
+class AllowLegacyRenegotionAdapter(adapters.HTTPAdapter):
+    """“Transport adapter” that allows us to use legacy renogation.
+
+    Such renegotiation is disabled by default in OpenSSL 3.0. This
+    suppresses errors such as:
+
+      SSLError(1, '[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe
+      legacy renegotiation disabled (_ssl.c:992)')
+
+    """
+
+    def init_poolmanager(self, connections, maxsize, block=False):
+        ctx = urllib3.util.ssl_.create_urllib3_context()
+        ctx.load_default_certs()
+        ctx.options |= 0x4  # ssl.OP_LEGACY_SERVER_CONNECT
+
+        self.poolmanager = urllib3.PoolManager(
+            ssl_context=ctx,
+            num_pools=connections,
+            maxsize=maxsize,
+            block=block,
+        )
+
+
 def create_http_session(proxy, version):
     session = requests.Session()
+    session.mount("https://", AllowLegacyRenegotionAdapter())
     session.proxies = {"http": proxy, "https": proxy}
     session.headers.update(
         {