[Bug 1968467] [NEW] CSD scripts do not work on jammy

Jason Gunthorpe Sun, 10 Apr 2022 05:35:36 -0700

Public bug reported:

The CSD scripts all use curl to communicate to the ASA server and in
Jammy curl has been linked with openssl 3.


openssl 3 switched off SSL_OP_LEGACY_SERVER_CONNECT by default, and
CISCO never implemented RFC5746 in ASA so the curl commands in the CSD
script just fail to connect (and the scripts blindly ignore these errors
making it hard to debug)

When run manually curl reports back:

* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:0A000152:SSL routines::unsafe legacy renegotiation disabled
* Closing connection 0
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled

My feeling is that curl should set the SSL option when -k is used.
openconnect itself sets this option already, it was fixed in commit
c8dcf10

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: openconnect 8.20-1
ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30
Uname: Linux 5.15.0-25-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu80
Architecture: amd64
CasperMD5CheckResult: pass
CasperVersion: 1.468
CurrentDesktop: ubuntu:GNOME
Date: Sun Apr 10 12:19:57 2022
LiveMediaBuild: Ubuntu 22.04 LTS "Jammy Jellyfish" - Daily amd64 (20220409)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: openconnect
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: openconnect (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968467

Title:
  CSD scripts do not work on jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1968467] [NEW] CSD scripts do not work on jammy

Reply via email to