Openconnect and old gnutls on Ubuntu 14.04
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Tue Jul 24 19:22:33 UTC 2018
On Fri, Jul 20, 2018 at 6:54 PM, Dave Hansen <dave at sr71.net> wrote:
> TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers
> that blacklist TLS 1.0. Where should this get fixed?
>
> ---
>
> I'm running a rather vintage Ubuntu 14.04 which ships a rather
> unmodified openconnect 5.02 package. It uses the following as a
> priority string for the TLS session:
>
> "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"
> "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION
>
> This _appears_ to be forcing things down to TLS 1.0 and not using TLS
> 1.1/1.2 despite libgnutls26 supporting the later TLS protocols. I
> confirmed the attempt to use TLS 1.0 in a packet capture. gnutls-cli,
> using the same gnutls library was confirmed in a packet capture to be
> using TLS 1.2.
>
> Intel has stopped supporting TLS 1.0 on its VPN endpoints, leaving me
> unable to connect. The failure message that comes back out of the
> console from openconnect is something along these lines:
>
>> SSL connection failure: A TLS packet with unexpected length was received.
>
> The packet capture shows a TCP RST packet coming back from the server to
> trigger these messages.
>
> So, yes, this is a vintage distribution, but it's _supposed_ to be
> supported, and it _can_ connect to these VPN servers if the
> "-VERS-TLS-ALL" is removed from the openconnect priority string.
>
> Further, this code still seems to be around in openconnect, at least
> when compiled against old versions of gnutls:
>
> https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202
>
> Is this something Ubuntu can fix in their openconnect? Or is it
> something we should also be fixing in the upstream openconnect?
This has been fixed in upstream openconnect since 2014, and we cannot
fix items in the past (unless David has skills which we don't know
about). That's up to your distribution to fix and a potential fix
could be to change "-VERS-TLS-ALL:+VERS-TLS1.0" to "-VERS-SSL3.0"
(i.e., allow everything except SSL3.0).
regards,
Nikos
More information about the Ubuntu-motu
mailing list