On Mon, Mar 7, 2022 at 3:44 PM Daniel Lenski <dlen...@gmail.com> wrote: > > On Fri, Mar 4, 2022 at 6:25 AM Eveno, Manuel <mev...@timwi.com> wrote: > > $ cat openconnect-8.20/tests/test-suite.log > > ------------- Output : -------------------- > > FAIL: bad_dtls_test > > 1. If you just want to *use* OpenConnect with a Fortinet VPN, then > this failing test result does not matter. > > This particular test exists only to verify that the "ekstra speshul" > weird/broken/non-standard/pre-1.0 version of DTLS used by old **Cisco > AnyConnect** VPNs is working correctly. Linux distributions and crypto > libraries keep forgetting that this version of DTLS is sadly still > needed, so they frequently break it. And we have to figure out who to > ask to get the libraries fixed. 😔
Our continuous integration pipeline builds against Ubuntu 18.04 (https://gitlab.com/openconnect/openconnect/-/jobs/2115365633), which distributes OpenSSL 1.1.1 (https://packages.ubuntu.com/bionic-updates/libssl-dev)… but Ubuntu 20.04 distributes OpenSSL 1.1.1f (https://packages.ubuntu.com/focal-updates/libssl-dev). @David, perhaps we need to add OpenSSL 1.1.1f to our list of OpenSSL versions whose DTLS implementations don't work with Cisco? - https://www.infradead.org/openconnect/anyconnect.html - https://gitlab.com/openconnect/openconnect/-/blob/master/openssl-dtls.c#L774-784 Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
