Public bug reported: The CSD scripts all use curl to communicate to the ASA server and in Jammy curl has been linked with openssl 3.
openssl 3 switched off SSL_OP_LEGACY_SERVER_CONNECT by default, and CISCO never implemented RFC5746 in ASA so the curl commands in the CSD script just fail to connect (and the scripts blindly ignore these errors making it hard to debug) When run manually curl reports back: * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (OUT), TLS header, Unknown (21): * TLSv1.2 (OUT), TLS alert, handshake failure (552): * error:0A000152:SSL routines::unsafe legacy renegotiation disabled * Closing connection 0 curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled My feeling is that curl should set the SSL option when -k is used. openconnect itself sets this option already, it was fixed in commit c8dcf10 ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: openconnect 8.20-1 ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30 Uname: Linux 5.15.0-25-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CasperVersion: 1.468 CurrentDesktop: ubuntu:GNOME Date: Sun Apr 10 12:19:57 2022 LiveMediaBuild: Ubuntu 22.04 LTS "Jammy Jellyfish" - Daily amd64 (20220409) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: openconnect UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: openconnect (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968467 Title: CSD scripts do not work on jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs