Openconnect and old gnutls on Ubuntu 14.04

Dave Hansen dave at sr71.net
Fri Jul 20 16:54:35 UTC 2018


TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers
that blacklist TLS 1.0.  Where should this get fixed?

---

I'm running a rather vintage Ubuntu 14.04 which ships a rather
unmodified openconnect 5.02 package.  It uses the following as a
priority string for the TLS session:

	"NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"
	"%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION

This _appears_ to be forcing things down to TLS 1.0 and not using TLS
1.1/1.2 despite libgnutls26 supporting the later TLS protocols.  I
confirmed the attempt to use TLS 1.0 in a packet capture.  gnutls-cli,
using the same gnutls library was confirmed in a packet capture to be
using TLS 1.2.

Intel has stopped supporting TLS 1.0 on its VPN endpoints, leaving me
unable to connect.  The failure message that comes back out of the
console from openconnect is something along these lines:

> SSL connection failure: A TLS packet with unexpected length was received.

The packet capture shows a TCP RST packet coming back from the server to
trigger these messages.

So, yes, this is a vintage distribution, but it's _supposed_ to be
supported, and it _can_ connect to these VPN servers if the
"-VERS-TLS-ALL" is removed from the openconnect priority string.

Further, this code still seems to be around in openconnect, at least
when compiled against old versions of gnutls:

https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202

Is this something Ubuntu can fix in their openconnect?  Or is it
something we should also be fixing in the upstream openconnect?



More information about the Ubuntu-motu mailing list