Note that Ubuntu disables TLS versions < 1.2. It is possible to re-enable them via configuration changes as in: https://wiki.ubuntu.com/Security/Features#disable-legacy-tls
regards, Nikos ________________________________________ From: openconnect-devel <[email protected]> on behalf of Dimitri Papadopoulos <[email protected]> Sent: Tuesday, March 15, 2022 08:38 To: Daniel Lenski; David Woodhouse Cc: Eveno, Manuel; openconnect-devel Subject: Re: Trying to build openconnect 8.20 on ubuntu 20 Hi, It definitely looks like an Ubuntu bug. I can reproduce this issue when building against the OpenSSL library that ships with Ubuntu 20.04: $ ./configure \ --prefix=/my/path/openconnect \ --with-vpnc-script=/my/src/vpnc-scripts/vpnc-script \ --with-openssl $ $ make check [...] make check-TESTS make[2] : on entre dans le répertoire « /my/path/openconnect/tests » make[3] : on entre dans le répertoire « /my/path/openconnect/tests » PASS: autocompletion PASS: lzstest PASS: seqtest PASS: buftest FAIL: bad_dtls_test ============================================================================ Testsuite summary for openconnect 8.20 ============================================================================ # TOTAL: 5 # PASS: 4 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 ============================================================================ See tests/test-suite.log ============================================================================ [...] $ This failure disappears after building against a vanilla OpenSSL 1.1.1f: $ ./configure \ --prefix=/my/path/openconnect \ --with-vpnc-script=/my/src/vpnc-scripts/vpnc-script \ --with-openssl=/my/src/openssl-1.1.1f $ $ make check [...] make check-TESTS make[2] : on entre dans le répertoire « /my/src/openconnect/tests » make[3] : on entre dans le répertoire « /my/src/openconnect/tests » PASS: autocompletion PASS: lzstest PASS: seqtest PASS: buftest PASS: bad_dtls_test ============================================================================ Testsuite summary for openconnect 8.20 ============================================================================ # TOTAL: 5 # PASS: 5 # SKIP: 0 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ============================================================================ [...] $ Dimitri Papadopoulos Le 15/03/2022 à 01:50, Daniel Lenski a écrit : >> So it's really an issue of building against OpenSSL vs. GnuTLS. It's >> definitely worth documenting the OpenSSL 1.1.1f issue here: >> - >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.infradead.org%2Fopenconnect%2Fanyconnect.html&data=04%7C01%7C%7C085ef976bfb1412b7a0008da0656dcce%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637829267390834394%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Es%2BRJTsxek2WoJ312cC1jtrKskbB9aLoTbUbNu9TPDk%3D&reserved=0 >> - >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fopenconnect%2Fopenconnect%2F-%2Fblob%2Fmaster%2Fopenssl-dtls.c%23L774-784&data=04%7C01%7C%7C085ef976bfb1412b7a0008da0656dcce%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637829267390834394%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jbHiR5HXsoue8BZKbmgmOPQhvMhO3YKxCo%2F1DQwfoUI%3D&reserved=0 > > Exactly. > > Without a bit more investigation, I'm hesitant to categorically state > that 1.1.1f is buggy (rather than "1.1.1f as distributed by Ubuntu"), > because the support for "Cisco/pre-1.0 DTLS" seems to get broken > inadvertently so often, due to being the most unloved and obscure > variant of TLS/DTLS around. _______________________________________________ openconnect-devel mailing list [email protected] https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Fopenconnect-devel&data=04%7C01%7C%7C085ef976bfb1412b7a0008da0656dcce%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637829267390834394%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WsQmEekl6XoSC3lQZI1tMa6LPSFFPGPtXvrWCHD%2B%2FbY%3D&reserved=0 _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
