[Bug 1968467] Re: CSD scripts do not work on jammy
Thanks, this w/a also worked for me. $ cat openssl.conf openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = UnsafeLegacyRenegotiation ~$ export OPENSSL_CONF=openssl.conf -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968467 Title: CSD scripts do not work on jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968467] Re: CSD scripts do not work on jammy
Thanks for testing that. We may need to apply something like this to OpenConnect, to get it to try harder to disable the OpenSSL minimum security level. Ugh. https://gitlab.com/openconnect/openconnect/-/commit/4e07eecaf04a48c3253a5dfd69d817673194e154#note_921595179 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968467 Title: CSD scripts do not work on jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1968467] Re: CSD scripts do not work on jammy
That does, work, note that the leading and trailing _ are garbage, file should be: root@c5c1367d7a8e:/# cat /tmp/openssl.conf openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = UnsafeLegacyRenegotiation root@c5c1367d7a8e:/# OPENSSL_CONF=/tmp/openssl.conf curl -k -v https://xxx/CACHE/sdesktop/hostscan/linux_x64/manifest [..] < HTTP/1.1 200 OK < Content-Type: < Content-Length: 813 < Cache-Control: max-age=6000 Thanks, Jason On Fri, Apr 22, 2022 at 12:10 AM Dan Lenski <1968...@bugs.launchpad.net> wrote: > @jgunthorpe, what if you do something like this, where you create an > OPENSSL_CONF that explicitly (re)enables unsafe legacy negotiation? > Instead of using /dev/null. > > ``` > $ cat > /tmp/openssl.conf < _openssl_conf = openssl_init > [openssl_init] > ssl_conf = ssl_sect > [ssl_sect] > system_default = system_default_sect > [system_default_sect] > Options = UnsafeLegacyRenegotiation_ > EOF > > $ OPENSSL_CONF=/tmp/openssl.conf curl > ``` > > That comes from https://github.com/dlenski/gp-saml-gui/issues/42 > > ** Bug watch added: github.com/dlenski/gp-saml-gui/issues #42 >https://github.com/dlenski/gp-saml-gui/issues/42 > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1968467 > > Title: > CSD scripts do not work on jammy > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions > > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968467 Title: CSD scripts do not work on jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968467] Re: CSD scripts do not work on jammy
@jgunthorpe, what if you do something like this, where you create an OPENSSL_CONF that explicitly (re)enables unsafe legacy negotiation? Instead of using /dev/null. ``` $ cat > /tmp/openssl.conf < ``` That comes from https://github.com/dlenski/gp-saml-gui/issues/42 ** Bug watch added: github.com/dlenski/gp-saml-gui/issues #42 https://github.com/dlenski/gp-saml-gui/issues/42 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968467 Title: CSD scripts do not work on jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968467] Re: CSD scripts do not work on jammy
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openconnect (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968467 Title: CSD scripts do not work on jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1968467] Re: CSD scripts do not work on jammy
On Mon, Apr 11, 2022 at 6:00 PM Dan Lenski <1968...@bugs.launchpad.net> wrote: > > My feeling is that curl should set the SSL option when -k is used. > openconnect itself sets this option already, it was fixed in commit > c8dcf10 > > If you replace the cURL invocation in the CSD/Trojan script with… > > ``` > OPENSSL_CONF=/dev/null curl > ``` > > … does this make it work? (For some hints about how/why it should work, > No, it didn't change, I tested with: # OPENSSL_CONF=/dev/null curl -k -v https://x.x.x.x/ * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (OUT), TLS header, Unknown (21): * TLSv1.2 (OUT), TLS alert, handshake failure (552): * error:0A000152:SSL routines::unsafe legacy renegotiation disabled * Closing connection 0 curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled Inside ubuntu:22.04 as a docker container just to test curl. Thanks, Jason -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968467 Title: CSD scripts do not work on jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968467] Re: CSD scripts do not work on jammy
I’m one of the upstream OpenConnect developers. Thanks for bringing this to our attention. This is one of a seemingly-endless stream of issues (e.g. https://gitlab.com/openconnect/openconnect/-/issues/211) that OpenConnect users have encountered as a result of distros’ recent mania for enforcing “minimum TLS security levels” on a system-wide level. It’s a frustrating situation for OpenConnect because users often have to connect to ancient unpatched VPNs to do their work, can’t do anything about the server configuration, and have no real expectation of “security” anyway. > My feeling is that curl should set the SSL option when -k is used. openconnect itself sets this option already, it was fixed in commit c8dcf10 If you replace the cURL invocation in the CSD/Trojan script with… ``` OPENSSL_CONF=/dev/null curl ``` … does this make it work? (For some hints about how/why it should work, start with https://gitlab.com/openconnect/openconnect/-/commit/7e862f2f0352409357fa7a4762481fde49909eb8#406e031b8824ea26ae0bf4d7579a1d89e3fb5906) ** Bug watch added: gitlab.com/openconnect/openconnect/-/issues #211 https://gitlab.com/openconnect/openconnect/-/issues/211 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968467 Title: CSD scripts do not work on jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs