Control: retitle -1 trixie-pu: package openconnect/9.12-3+deb13u2
Control: tags -1 - moreinfo
Here is an updated debdiff to include as well the fix for #1099497,
which after an update of Cisco ASA gateways in some configurations,
cannot establish anymore a connection to the VPN server. The report
upstream is at
https://gitlab.com/openconnect/openconnect/-/issues/659
Manual tests with affected configurations have been performed and
feedback gathered from users.
There is input from tech-ctte members in #1124117.
Can it be considered for the next point release?
Regards,
Salvatore
diff -Nru openconnect-9.12/debian/changelog openconnect-9.12/debian/changelog
--- openconnect-9.12/debian/changelog 2024-08-04 14:24:52.000000000 +0200
+++ openconnect-9.12/debian/changelog 2026-01-02 10:12:05.000000000 +0100
@@ -1,3 +1,24 @@
+openconnect (9.12-3+deb13u2) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * use the unsigned printf qualifier for size_t : fixes MinGW{32,64} build
+ * Use RFC9266 'tls-exporter' channel bindings for Cisco STRAP with TLSv1.3
+ (Closes: #1099497)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 02 Jan 2026 10:12:05 +0100
+
+openconnect (9.12-3+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ [ Luca Boccassi ]
+ * d/copyright: update Upstream-Contact to mailing list
+
+ [ Lee Garrett ]
+ * Patch: Respect path in AnyConnect/OpenConnect XML form handling (Closes:
#1119239)
+ * Update debian/gbp.conf to match debian/trixie branch
+
+ -- Lee Garrett <[email protected]> Tue, 28 Oct 2025 21:47:04 +0100
+
openconnect (9.12-3) unstable; urgency=medium
* Disable autopkgtest and remove test build dependencies (Closes:
diff -Nru openconnect-9.12/debian/copyright openconnect-9.12/debian/copyright
--- openconnect-9.12/debian/copyright 2024-03-28 12:59:35.000000000 +0100
+++ openconnect-9.12/debian/copyright 2025-11-17 12:49:36.000000000 +0100
@@ -1,6 +1,6 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: OpenConnect
-Upstream-Contact: David Woodhouse <[email protected]>
+Upstream-Contact: [email protected]
Source: ftp://ftp.infradead.org/pub/openconnect/
Files: *
diff -Nru openconnect-9.12/debian/gbp.conf openconnect-9.12/debian/gbp.conf
--- openconnect-9.12/debian/gbp.conf 2024-03-28 12:59:35.000000000 +0100
+++ openconnect-9.12/debian/gbp.conf 2026-01-02 10:10:21.000000000 +0100
@@ -1,4 +1,5 @@
[DEFAULT]
+debian-branch = debian/trixie
pristine-tar = True
sign-tags = True
diff -Nru
openconnect-9.12/debian/patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
openconnect-9.12/debian/patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
---
openconnect-9.12/debian/patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
1970-01-01 01:00:00.000000000 +0100
+++
openconnect-9.12/debian/patches/Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
2026-01-02 10:11:49.000000000 +0100
@@ -0,0 +1,110 @@
+From: David Woodhouse <[email protected]>
+Date: Fri, 15 Nov 2024 15:46:05 +0000
+Subject: Use RFC9266 'tls-exporter' channel bindings for Cisco STRAP with
+ TLSv1.3
+Origin:
https://gitlab.com/openconnect/openconnect/-/commit/94e0b16c011b7b88708b8a8505fac6bfbe2e3cca
+Bug-Debian: https://bugs.debian.org/1099497
+Bug: https://gitlab.com/openconnect/openconnect/-/issues/659
+
+Fixes #659
+
+Signed-off-by: David Woodhouse <[email protected]>
+---
+ gnutls.c | 20 +++++++++++++++++++-
+ openconnect-internal.h | 5 +++++
+ openssl.c | 30 +++++++++++++++++++++++-------
+ www/changelog.xml | 1 +
+ 4 files changed, 48 insertions(+), 8 deletions(-)
+
+diff --git a/gnutls.c b/gnutls.c
+index 9fc010b984b7..6c2e3aec29c1 100644
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -3176,7 +3176,25 @@ void append_strap_verify(struct openconnect_info
*vpninfo,
+
+ /* Concatenate our Finished message with our pubkey to be signed */
+ struct oc_text_buf *nonce = buf_alloc();
+- buf_append_bytes(nonce, vpninfo->finished, vpninfo->finished_len);
++ if (gnutls_protocol_get_version(vpninfo->https_sess) <= GNUTLS_TLS1_2) {
++ /* For TLSv1.2 and earlier, use RFC5929 'tls-unique' channel
binding */
++ buf_append_bytes(nonce, vpninfo->finished,
vpninfo->finished_len);
++ } else {
++ /* For TLSv1.3 use RFC9266 'tls-exporter' channel binding */
++ char channel_binding_buf[TLS_EXPORTER_KEY_SIZE];
++ err = gnutls_prf(vpninfo->https_sess, TLS_EXPORTER_LABEL_SIZE,
TLS_EXPORTER_LABEL,
++ 0, 0, 0, TLS_EXPORTER_KEY_SIZE,
channel_binding_buf);
++ if (err) {
++ vpn_progress(vpninfo, PRG_ERR,
++ _("Failed to generate channel bindings for
STRAP key: %s\n"),
++ gnutls_strerror(err));
++ if (!buf_error(buf))
++ buf->error = -EIO;
++ buf_free(nonce);
++ return;
++ }
++ buf_append_bytes(nonce, channel_binding_buf,
TLS_EXPORTER_KEY_SIZE);
++ }
+
+ if (rekey) {
+ /* We have a copy and we don't want it freed just yet */
+diff --git a/openconnect-internal.h b/openconnect-internal.h
+index 5abfe98d79c5..600b43b31ec8 100644
+--- a/openconnect-internal.h
++++ b/openconnect-internal.h
+@@ -1060,6 +1060,11 @@ static inline void __monitor_fd_new(struct
openconnect_info *vpninfo,
+ #define PSK_LABEL_SIZE (sizeof(PSK_LABEL) - 1)
+ #define PSK_KEY_SIZE 32
+
++/* Key material for RFC9266 tls-exporter channel binding */
++#define TLS_EXPORTER_LABEL "EXPORTER-Channel-Binding"
++#define TLS_EXPORTER_LABEL_SIZE (sizeof(TLS_EXPORTER_LABEL) - 1)
++#define TLS_EXPORTER_KEY_SIZE 32
++
+ /* Packet types */
+
+ #define AC_PKT_DATA 0 /* Uncompressed data */
+diff --git a/openssl.c b/openssl.c
+index 3f204d0f19af..b354cf7466e6 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -2518,14 +2518,30 @@ void append_strap_verify(struct openconnect_info
*vpninfo,
+ struct oc_text_buf *buf, int rekey)
+ {
+ unsigned char finished[64];
+- size_t flen = SSL_get_finished(vpninfo->https_ssl, finished,
sizeof(finished));
++ size_t flen;
+
+- if (flen > sizeof(finished)) {
+- vpn_progress(vpninfo, PRG_ERR,
+- _("SSL Finished message too large (%zu bytes)\n"),
flen);
+- if (!buf_error(buf))
+- buf->error = -EIO;
+- return;
++ if
(SSL_SESSION_get_protocol_version(SSL_get_session(vpninfo->https_ssl)) <=
TLS1_2_VERSION) {
++ /* For TLSv1.2 and earlier, use RFC5929 'tls-unique' channel
binding */
++ flen = SSL_get_finished(vpninfo->https_ssl, finished,
sizeof(finished));
++ if (flen > sizeof(finished)) {
++ vpn_progress(vpninfo, PRG_ERR,
++ _("SSL Finished message too large (%zu
bytes)\n"), flen);
++ if (!buf_error(buf))
++ buf->error = -EIO;
++ return;
++ }
++ } else {
++ /* For TLSv1.3 use RFC9266 'tls-exporter' channel binding */
++ if (!SSL_export_keying_material(vpninfo->https_ssl,
++ finished, TLS_EXPORTER_KEY_SIZE,
++ TLS_EXPORTER_LABEL,
TLS_EXPORTER_LABEL_SIZE,
++ NULL, 0, 0)) {
++ vpn_progress(vpninfo, PRG_ERR,
++ _("Failed to generate channel bindings for
STRAP key\n"));
++ openconnect_report_ssl_errors(vpninfo);
++ return;
++ }
++ flen = TLS_EXPORTER_KEY_SIZE;
+ }
+
+ /* If we're rekeying, we need to sign the Verify header with the *old*
key. */
+--
+2.51.0
+
diff -Nru openconnect-9.12/debian/patches/dont-default-form-action.patch
openconnect-9.12/debian/patches/dont-default-form-action.patch
--- openconnect-9.12/debian/patches/dont-default-form-action.patch
1970-01-01 01:00:00.000000000 +0100
+++ openconnect-9.12/debian/patches/dont-default-form-action.patch
2025-11-17 12:49:36.000000000 +0100
@@ -0,0 +1,46 @@
+Description: Fix URI patch on subsequent requests
+ Use the full URI (including "usergroup" or path) as specified in --server for
+ all requests during authentication instead of only the first one
+Author: Stefan Bühler <[email protected]>
+Origin: upstream,
https://gitlab.com/openconnect/openconnect/-/merge_requests/560
+Bug: https://gitlab.com/openconnect/openconnect/-/issues/737
+Reviewed-by: Lee Garrett <[email protected]>
+Last-Update: 2025-10-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/auth.c b/auth.c
+index 317fc21..e245b48 100644
+--- a/auth.c
++++ b/auth.c
+@@ -455,13 +455,15 @@ static int parse_auth_node(struct openconnect_info
*vpninfo, xmlNode *xml_node,
+
+ /* defaults for new XML POST */
+ form->method = strdup("POST");
+- form->action = strdup("/");
+
+ xmlnode_get_prop(xml_node, "method", &form->method);
+ xmlnode_get_prop(xml_node, "action", &form->action);
+
+- if (!form->method || !form->action ||
+- strcasecmp(form->method, "POST") ||
!form->action[0]) {
++ /* - expect unset action (reuse current URL) or
non-empty action="..."
++ * - expect unset method (defaults to "POST") or
explicit method="POST"
++ */
++ if ((form->action && !form->action[0]) ||
++ !form->method || strcasecmp(form->method, "POST")) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Cannot handle form method='%s',
action='%s'\n"),
+ form->method, form->action);
+diff --git a/www/changelog.xml b/www/changelog.xml
+index 49a50b3..1ba207f 100644
+--- a/www/changelog.xml
++++ b/www/changelog.xml
+@@ -15,7 +15,7 @@
+ <ul>
+ <li><b>OpenConnect HEAD</b>
+ <ul>
+- <li><i>No changelog entries yet</i></li>
++ <li>Use the full URI (including "usergroup" or path) as specified in
<tt>--server</tt> for all requests during authentication instead of only the
first one (<a
href="https://gitlab.com/openconnect/openconnect/-/merge_requests/560";>!560</a>).</li>
+ </ul><br/>
+ </li>
+ <li><b><a
href="https://www.infradead.org/openconnect/download/openconnect-9.12.tar.gz";>OpenConnect
v9.12</a></b>
diff -Nru openconnect-9.12/debian/patches/series
openconnect-9.12/debian/patches/series
--- openconnect-9.12/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ openconnect-9.12/debian/patches/series 2026-01-02 10:11:49.000000000
+0100
@@ -0,0 +1,3 @@
+dont-default-form-action.patch
+use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
+Use-RFC9266-tls-exporter-channel-bindings-for-Cisco-.patch
diff -Nru
openconnect-9.12/debian/patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
openconnect-9.12/debian/patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
---
openconnect-9.12/debian/patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
1970-01-01 01:00:00.000000000 +0100
+++
openconnect-9.12/debian/patches/use-the-unsigned-printf-qualifier-for-size_t-fixes-M.patch
2026-01-02 10:10:42.000000000 +0100
@@ -0,0 +1,27 @@
+From: Timothee 'TTimo' Besset <[email protected]>
+Date: Sun, 26 Nov 2023 10:13:05 -0600
+Subject: use the unsigned printf qualifier for size_t : fixes MinGW{32,64}
+ build
+Origin:
https://gitlab.com/openconnect/openconnect/-/commit/958a59aed57df84a8ff0c86e1d0c6a4542edf5b2
+
+Signed-off-by: Timothee Besset <[email protected]>
+---
+ openssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/openssl.c b/openssl.c
+index f8e0b1e9dd7b..dd4d761d971a 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -2522,7 +2522,7 @@ void append_strap_verify(struct openconnect_info
*vpninfo,
+
+ if (flen > sizeof(finished)) {
+ vpn_progress(vpninfo, PRG_ERR,
+- _("SSL Finished message too large (%zd bytes)\n"),
flen);
++ _("SSL Finished message too large (%zu bytes)\n"),
flen);
+ if (!buf_error(buf))
+ buf->error = -EIO;
+ return;
+--
+2.51.0
+
