Re: Openconnect and old gnutls on Ubuntu 14.04

2018-07-24 Thread Daniel Lenski
On Fri, Jul 20, 2018 at 9:54 AM, Dave Hansen wrote: > TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers > that blacklist TLS 1.0. Where should this get fixed? This seems to be a common feature of newer Cisco servers. I tried handshaking with a bunch of Cisco servers with "

Re: Openconnect and old gnutls on Ubuntu 14.04

2018-07-24 Thread Nikos Mavrogiannopoulos
On Tue, Jul 24, 2018 at 6:21 PM, Daniel Lenski wrote: > On Fri, Jul 20, 2018 at 9:54 AM, Dave Hansen wrote: >> TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers >> that blacklist TLS 1.0. Where should this get fixed? > > This seems to be a common feature of newer Cisco ser

Re: Openconnect and old gnutls on Ubuntu 14.04

2018-07-24 Thread Nikos Mavrogiannopoulos
On Fri, Jul 20, 2018 at 6:54 PM, Dave Hansen wrote: > TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers > that blacklist TLS 1.0. Where should this get fixed? > > --- > > I'm running a rather vintage Ubuntu 14.04 which ships a rather > unmodified openconnect 5.02 package.

Re: Openconnect and old gnutls on Ubuntu 14.04

2018-07-24 Thread Dave Hansen
On 07/24/2018 12:22 PM, Nikos Mavrogiannopoulos wrote: >> Further, this code still seems to be around in openconnect, at least >> when compiled against old versions of gnutls: >> >> https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202 >> >> Is this something Ubuntu can fix in their

Re: Openconnect and old gnutls on Ubuntu 14.04

2018-07-24 Thread Nikos Mavrogiannopoulos
On Tue, Jul 24, 2018 at 9:50 PM, Dave Hansen wrote: > On 07/24/2018 12:22 PM, Nikos Mavrogiannopoulos wrote: >>> Further, this code still seems to be around in openconnect, at least >>> when compiled against old versions of gnutls: >>> >>> https://github.com/openconnect/openconnect/blob/master/gnu

Re: Openconnect and old gnutls on Ubuntu 14.04

2018-07-24 Thread Dave Hansen
On 07/24/2018 01:01 PM, Nikos Mavrogiannopoulos wrote: >> Am I misreading the code? >> >> If compiled with !DEFAULT_PRIO and we miss both the gtls_ver(3,2,9) and >> gtls_ver(3,0,0) checks, won't we do >> "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"... from the else{} block below? >> >> I read that as "when

Re: Openconnect and old gnutls on Ubuntu 14.04

2018-07-24 Thread Mike Miller
On Tue, Jul 24, 2018 at 14:50:03 -0700, Dave Hansen wrote: > Right, Ubuntu (14.04) doesn't have the first two cases, only the third. > But, I was basically asking (despite being an ancient version of > openconnect) whether this affects upstream openconnect. > > The "gtls_ver(3,0,0)" in upstream op