On Mon, Mar 14, 2022 at 3:41 AM Dimitri Papadopoulos Orfanos <dimitri.papadopou...@cea.fr> wrote: > I guess libgnutls28-dev was initially missing. By installing it, your > build switched to GnuTLS, which appears to support the broken Cisco DTLS > version, unlike OpenSSL version 1.1.1f (the version shipping with Ubuntu > 20.04). > > So it's really an issue of building against OpenSSL vs. GnuTLS. It's > definitely worth documenting the OpenSSL 1.1.1f issue here: > - https://www.infradead.org/openconnect/anyconnect.html > - > https://gitlab.com/openconnect/openconnect/-/blob/master/openssl-dtls.c#L774-784
Exactly. Without a bit more investigation, I'm hesitant to categorically state that 1.1.1f is buggy (rather than "1.1.1f as distributed by Ubuntu"), because the support for "Cisco/pre-1.0 DTLS" seems to get broken inadvertently so often, due to being the most unloved and obscure variant of TLS/DTLS around. By the way, our error message links to http://rt.openssl.org/Ticket/Display.html?id=2984, which appears to be a bug tracker that no longer exists and isn't cached by Wayback Machine 🤦🏻♂️. @dwmw2, are there any more details on that ticket that you still have? Perhaps details on *when/where/how* the OpenSSL support for "Cisco/pre-1.0 DTLS" was broken? > By the way, the above documentation still refers to patching and > rebuilding OpenSSL 0.9.8, 1.0.0, 1.0.1. Perhaps we should consider > retiring that part of the documentation, as versions 0.9.8, 1.0.0, 1.0.1 > have reached EOL. Only 1.0.2 benefits from extended support. While the > source code should probably support prior versions, the documentation > should instead recommend patching/building supported versions of OpenSSL > (> 1.1.1 with regular support and 1.0.2 with extended support): > https://www.openssl.org/policies/releasestrat.html Agreed. _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
