Re: Openconnect and old gnutls on Ubuntu 14.04

Tue, 24 Jul 2018 12:18:01 -0700 

On Tue, Jul 24, 2018 at 6:21 PM, Daniel Lenski <dlen...@gmail.com> wrote:
> On Fri, Jul 20, 2018 at 9:54 AM, Dave Hansen <d...@sr71.net> wrote:
>> TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers
>> that blacklist TLS 1.0.  Where should this get fixed?
>
> This seems to be a common feature of newer Cisco servers. I tried
> handshaking with a bunch of Cisco servers with "gnutls-cli --priority
> LEGACY:-VERS-TLS-ALL:+VERS-TLS1.0", and all the newer ones fail.
>
>> Further, this code still seems to be around in openconnect, at least
>> when compiled against old versions of gnutls:
>
> I looked at the history of this section of the code, and it's not
> apparent to me why these version-specific priority strings were added
> to openconnect. Perhaps Nikos or David can comment? Made they had to
> do with some unexpected corner case in a particular GnuTLS version?
> http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/084e1d82f2fb5ad639810da2a64890ba4ede1896

I think this was at a time which a popular firewall (F5) was
terminating TLS connections in an apparent random way. It was often
seen that it would terminate some gnutls connections but not openssl.
I'm only speculating here but my understanding was that David was
trying to make gnutls' handshake look as close as possible to the
openssl's from that time (when gnutls was added in openconnect,
openssl didn't have tls1.2 or it was way too new), to avoid these
failures. It was later found out that this firewall would terminate a
TLS connection if the first message (hello) was between 256 and 512
bytes. When gnutls added counter measures about that (with the %COMPAT
keyword), openconnect was also updated. That should have been with the
changelog entry:
       <li>Enable elliptic curves with GnuTLS 3.2.9+, where there is a
       workaround for certain firewalls that fail with client hellos between
       256 and 512 bytes.</li>

regards,
Nikos

_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to