Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to validate signature on query string(SimpleSAML) #9567

Open
1 task done
Vitek14 opened this issue Oct 28, 2024 · 2 comments
Open
1 task done

Unable to validate signature on query string(SimpleSAML) #9567

Vitek14 opened this issue Oct 28, 2024 · 2 comments
Labels
bug

Comments

@Vitek14
Copy link

Vitek14 commented Oct 28, 2024

Describe the bug

Aiohttp, as I understand it, cannot set the SSL certificate correctly. When trying to establish a connection with the login site of my university, aiohttp cannot get the correct answer and it most likely has something to do with SSL

To Reproduce

  1. Create a session object.
  2. Use the get method for the site "https://edu.grsu.by/login/index.php " without specifying additional parameters.
  3. Use the print() function to output the response text(await response.text())

Expected behavior

Getting an html page without errors(in particular, without error: "Unable to validate signature on query string")

Logs/tracebacks

Due to security reasons, I cannot fully present the logs in plain text, however, here is a part of the site logs(after await response.text() and printing it):

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to validate signature on query string.
Backtrace:
6 vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:242 (SAML2\HTTPRedirect::validateSignature)
5 [builtin] (call_user_func)
4 vendor/simplesamlphp/saml2/src/SAML2/Message.php:263 (SAML2\Message::validate)
3 modules/saml/lib/Message.php:230 (SimpleSAML\Module\saml\Message::checkSign)
2 modules/saml/lib/Message.php:290 (SimpleSAML\Module\saml\Message::validateMessage)
1 modules/saml/lib/IdP/SAML2.php:383 (SimpleSAML\Module\saml\IdP\SAML2::receiveAuthnRequest)
0 www/saml2/idp/SSOService.php:26 (N/A)

The rest of the logs do not contain anything useful (as it seems to me), but if necessary, I am ready to provide aiohttp developers personally with information about the logs

Python Version

$ python --version
Python 3.10.6

aiohttp Version

$ python -m pip show aiohttp
Name: aiohttp
Version: 3.10.10
Summary: Async http client/server framework (asyncio)
Home-page: https://github.com/aio-libs/aiohttp
Author:
Author-email:
License: Apache 2
Location: ...\venv\lib\site-packages
Requires: aiohappyeyeballs, aiosignal, async-timeout, attrs, frozenlist, multidict, yarl
Required-by: aiogram

multidict Version

$ python -m pip show multidict
Name: multidict
Version: 6.0.5
Summary: multidict implementation
Home-page: https://github.com/aio-libs/multidict
Author: Andrew Svetlov
Author-email: [email protected]
License: Apache 2
Location: ...\venv\lib\site-packages
Requires:
Required-by: aiohttp, yarl

propcache Version

$ python -m pip show propcache
Name: propcache
Version: 0.2.0
Summary: Accelerated property cache
Home-page: https://github.com/aio-libs/propcache
Author: Andrew Svetlov
Author-email: [email protected]
License: Apache-2.0
Location: ...\venv\lib\site-packages
Requires:
Required-by: yarl

yarl Version

$ python -m pip show yarl
Name: yarl
Version: 1.16.0
Summary: Yet another URL library
Home-page: https://github.com/aio-libs/yarl
Author: Andrew Svetlov
Author-email: [email protected]
License: Apache-2.0
Location: ...\venv\lib\site-packages
Requires: idna, multidict, propcache
Required-by: aiohttp

OS

Windows 10

Related component

Client

Additional context

This request to the site contains 2 redirects. I tried using allow_redirects=False and passing all parameters to requests (cookies and headers) on my own. I also tried using verify_ssl=False and experimenting with the ssl context(ssl=...).
If you make the same request in other modules like requests, httpx or grequests, then there is no error and everything works correctly.

I apologize in advance if this does not belong to the BUG category, however, this error appears with the same actions only in aiohttp
Also, I'm sorry if the text is written with errors, because I used a translator in some places

Code of Conduct

  • I agree to follow the aio-libs Code of Conduct
@Vitek14 Vitek14 added the bug label Oct 28, 2024
@Dreamsorcerer
Copy link
Member

Dreamsorcerer commented Oct 28, 2024
edited
Loading

You'll probably need to experiment more with the SSLContext, we've seen firewalls that rejected requests when the allowed TLS version was 1.2-1.3, for example. Changing it to any other version range (e.g. 1.3-1.3) allowed the connection...

@Vitek14
Copy link
Author

Vitek14 commented Oct 29, 2024

Changing it to any other version range (e.g. 1.3-1.3) allowed the connection...

Only version 1.2 works, but with the same error. There is an error with the TLSv1_3 version:
aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host idp.grsu.by:443 ssl:default [[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:997)]
TLSv1-TLSv1_1:
aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host edu.grsu.by:443 ssl:default [[SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:997)]
SSLv3:
aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host edu.grsu.by:443 ssl:default [[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:997)]

I also tried different variations, but the same error.

@github-staff github-staff deleted a comment Oct 29, 2024
@jeffsawatzky jeffsawatzky mentioned this issue Nov 9, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Dreamsorcerer @Vitek14