Public bug reported: Summary:
Intel has stopped supporting TLS 1.0 on its VPN endpoints, which is apparently a new default configuration for some Cisco VPN servers. This configuration is incompatible with the Ubuntu 14.04.5 openconnect and my openconnect now fails to connect. Details: I'm running a fully-updated Ubuntu 14.04.5 which ships openconnect 5.02 package. It uses the following as a priority string for the TLS session: "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION This string forces the TLS version to 1.0 and will not use TLS 1.1/1.2 despite libgnutls26 support for 1.1/1.2. I confirmed the attempt to use TLS 1.0 in a packet capture. gnutls-cli, using the same gnutls library was confirmed in a packet capture to be using TLS 1.2. This leaves me unable to connect to the VPN servers. The failure message that comes back out of the console from openconnect is something along these lines: > SSL connection failure: A TLS packet with unexpected length was received. The packet capture shows a TCP RST packet coming back from the server to trigger these messages. I _can_ connect to these VPN servers if the "-VERS-TLS-ALL" is removed from the openconnect priority string and the binary is recompiled. This code still seems to be around in the current upstream openconnect, although it may be dead code because of the deprecation of upstream openconnect support for old versions of gnutls. https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202 So, there may not be an upstream fix for this issue other than removing the code since. In an openconnect-devel@ discussions, Nikos Mavrogiannopoulos <n.mavrogiannopou...@gmail.com> provided some of the background for why this particular TLS priority string was placed in OpenConnect: > I think this was at a time which a popular firewall (F5) was > terminating TLS connections in an apparent random way. It was often > seen that it would terminate some gnutls connections but not openssl. > I'm only speculating here but my understanding was that David was > trying to make gnutls' handshake look as close as possible to the > openssl's from that time (when gnutls was added in openconnect, > openssl didn't have tls1.2 or it was way too new), to avoid these > failures. It was later found out that this firewall would terminate a > TLS connection if the first message (hello) was between 256 and 512 > bytes. When gnutls added counter measures about that (with the %COMPAT > keyword), openconnect was also updated. That should have been with the > changelog entry: > <li>Enable elliptic curves with GnuTLS 3.2.9+, where there is a > workaround for certain firewalls that fail with client hellos between > 256 and 512 bytes.</li> $ lsb_release -rd Description: Ubuntu 14.04.5 LTS Release: 14.04 $ apt-cache policy openconnect openconnect: Installed: 5.02-1 Candidate: 5.02-1 Version table: *** 5.02-1 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages 100 /var/lib/dpkg/status $ apt-cache policy libgnutls26 libgnutls26: Installed: 2.12.23-12ubuntu2.8 Candidate: 2.12.23-12ubuntu2.8 Version table: *** 2.12.23-12ubuntu2.8 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 100 /var/lib/dpkg/status 2.12.23-12ubuntu2 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ** Affects: openconnect (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1783610 Title: Openconnect fails to connect to VPN servers which blacklist TLS 1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1783610/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs