Bug#1031906: openconnect: Fails with Unexpected Pulse config packet using newer pulse server

[Michael Welsh Duggan]

Package: openconnect
Version: 9.01-2
Severity: important
X-Debbugs-Cc: none, Michael Welsh Duggan <m...@md5i.com>

Dear Maintainer,

My place of work updated their Pulse VPN server.  After this upgrade, I
could no longer connect.  For example:


$ openconnect --protocol=pulse vpn.sei.cmu.edu/ipsec
Connected to 128.237.28.52:443
SSL negotiation with vpn.sei.cmu.edu
Connected to HTTPS on vpn.sei.cmu.edu with ciphersuite 
(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 101 Switching Protocols
Enter user credentials:
Username:mwd
Password:
Enter secondary credentials:
Secondary password:
Unexpected Pulse config packet:
< 0000:  00 00 0a 4c 00 00 00 01  00 00 01 66 00 00 01 fc  |...L.......f....|
< 0010:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
< 0020:  2e 20 f0 00 00 00 00 00  00 00 01 56 2e 00 00 0d  |. .........V....|
< 0030:  03 00 00 00 40 25 00 01  01 2c 00 00 0d 03 00 00  |....@%...,......|
< 0040:  00 40 26 00 01 01 2e 00  00 18 01 00 00 00 07 00  |.@&.............|
< 0050:  00 10 00 00 ff ff 00 00  00 00 ff ff ff ff 00 00  |................|
< 0060:  01 08 03 00 00 00 40 00  00 01 01 40 01 00 01 01  |......@....@....|
< 0070:  40 1f 00 01 00 40 20 00  01 01 40 21 00 01 01 40  |@....@ ...@!...@|
< 0080:  05 00 04 00 00 05 78 00  03 00 04 0a 40 ff 64 40  |......x.....@.d@|
< 0090:  06 00 24 61 64 2e 73 65  69 2e 63 6d 75 2e 65 64  |..$ad.sei.cmu.ed|
< 00a0:  75 2c 73 65 69 2e 63 6d  75 2e 65 64 75 2c 63 65  |u,sei.cmu.edu,ce|
< 00b0:  72 74 2e 6f 72 67 00 40  07 00 04 00 00 00 01 00  |rt.org.@........|
< 00c0:  04 00 04 ff ff ff ff 40  19 00 01 01 40 1a 00 01  |.......@....@...|
< 00d0:  01 40 24 00 01 01 40 17  00 04 00 00 00 0f 40 0f  |.@$...@.......@.|
< 00e0:  00 02 00 00 40 10 00 02  00 05 40 11 00 02 00 03  |....@.....@.....|
< 00f0:  40 12 00 04 00 00 04 b0  40 13 00 04 00 00 00 00  |@.......@.......|
< 0100:  40 14 00 04 00 00 00 01  40 15 00 04 00 00 00 00  |@.......@.......|
< 0110:  40 16 00 02 11 94 40 17  00 04 00 00 00 0f 40 18  |@.....@.......@.|
< 0120:  00 04 00 00 00 3c 00 01  00 04 0a 40 c9 59 00 02  |.....<.....@.Y..|
< 0130:  00 04 ff ff ff ff 40 0b  00 04 0a 40 cb 00 40 0a  |......@....@..@.|
< 0140:  00 01 01 40 0c 00 01 00  40 0d 00 01 00 40 0e 00  |...@....@....@..|
< 0150:  01 00 40 1b 00 01 00 40  1c 00 01 00 00 13 00 01  |..@....@........|
< 0160:  00 00 14 00 01 00                                 |......|
Creating SSL connection failed
Unknown error; exiting.

Applying the following patch from the openconnect upstream repository
fixes this problem for me:

https://gitlab.com/openconnect/openconnect/-/commit/c9831b382c7839682b3f1ea0a7f950e6cb55d5e8


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.0.0-2-amd64 (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openconnect depends on:
ii  libc6            2.36-8
ii  libgnutls30      3.7.8-5
ii  libopenconnect5  9.01-2
ii  libproxy1v5      0.4.18-1.2
ii  libxml2          2.9.14+dfsg-1.1+b3
ii  vpnc-scripts     0.1~git20220510-1

Versions of packages openconnect recommends:
ii  python3             3.11.1-3
ii  python3-asn1crypto  1.5.1-2
ii  python3-mechanize   1:0.4.8+pypi-5
ii  python3-netifaces   0.11.0-2+b1

Versions of packages openconnect suggests:
ii  bash-completion  1:2.11-6
ii  xdg-utils        1.1.3-4.1

-- no debconf information

-- 
Michael Welsh Duggan
(m...@md5i.com)