subject:"\[Bug 1624856\] Re\: Regressions in GnuTLS 3.5.3 break OpenConnect"

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

2017-10-26 Thread Bug Watch Updater

Launchpad has imported 15 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=1370881.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.


On 2016-08-27T20:55:59+00:00 Lars wrote:

Created attachment 1194946
verbose openconnect output (see end of file for failure)

Following the F25 update to gnutls-3.5.3-1, VPN connections established
through OpenConnect (against an AnyConnect VPN provided by a Cisco ASA
device) started to fail, with the remote side appearing dead to
OpenConnect:

DTLS Dead Peer Detection detected dead peer!

After re-establishment, the connection works again for some time, then
the process is repeated. The connection only fails if it's actually used
for something. Not quite sure yet what exactly triggers it. Logging into
a RHEV/oVirt web interface seems quite reliable, but I've also seen it
happen during DNF package installs.

Disabling DTLS (--no-dtls to openconnect) makes things work again, as
does downgrading of gnutls to the previous 3.5.2 version. Looking at the
upstream changelog, 3.5.3 appears to introduce a new DTLS sliding window
implementation, maybe related?

Version-Release number of selected component (if applicable):
gnutls-3.5.3-1.fc25.x86_64
openconnect-7.07-2.fc25.x86_64


Steps to Reproduce:
1. connect to AnyConnect VPN using OpenConnect
2. use it for some time (not sure what exactly triggers it, doesn't take long 
though)
3. connection dies with "DTLS Dead Peer Detection detected dead peer!"


Additional info:
I'm well aware that Cisco's DTLS implementation is quite non-standard, but 
grepping through the GnuTLS code, it seems to me that the intent is to support 
it (as DTLS0.9), which is why I'm filing this bug against GnuTLS.

OpenConnect does not show the issue when using gnutls-3.5.2-1.fc25 or
when built against OpenSSL.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/comments/0


On 2016-08-29T06:32:21+00:00 Nikos wrote:

Hi, if you downgrade to 3.5.2 does it work? Do you have any debugging
output when this issue happens?

Reply at:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/comments/1


On 2016-08-29T06:34:08+00:00 Nikos wrote:

The best would be if you could provide some gnutls debugging output
while that issue occurs. To get that you can set GNUTLS_DEBUG_LEVEL=6
environment variable prior to running openconnect.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/comments/2


On 2016-08-29T07:49:44+00:00 David wrote:

You can also add --gnutls-debug=6 to the openconnect command line.

It might be worth getting a packet capture from the real network,
showing the DTLS packets. The sequence numbers are in the clear, aren't
they? And the only obvious DTLS change I see between 3.5.2 and 3.5.3 is
related to the sequence number sliding window — so we hopefully don't
even *need* to decrypt the packets to work out what the problem is.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/comments/3


On 2016-08-29T08:19:52+00:00 Nikos wrote:

David reproduced the issue and send the log back. I'll try to figure the
issue from that.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/comments/4


On 2016-08-29T08:29:12+00:00 David wrote:

REC[0x15970d0]: Decrypted Packet[1.798] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.803] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.800] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.805] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.802] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.807] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.804] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.808] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.806] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.810] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.809] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.812] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.814] Application Data(23) with length: 1267
REC[0x15970d0]: Decrypted Packet[1.816] Application Data(23) with length: 1267
REC[0x15970d0]:

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

2016-09-21 Thread Launchpad Bug Tracker

This bug was fixed in the package gnutls28 - 3.5.3-5ubuntu1

---
gnutls28 (3.5.3-5ubuntu1) yakkety; urgency=medium

  * Merge with Debian (LP: #1624856).  Remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable failing
  test.
- debian/patches/add-openssl-test-link.patch: add link for libssl

gnutls28 (3.5.3-5) experimental; urgency=medium

  * Pull DTLS fixes from upstream GIT master.
45_01-tests-enhance-the-DTLS-window-unit-test-to-account-f.patch
45_02-dtls-ensure-that-the-DTLS-window-doesn-t-get-stalled.patch
45_03-tests-mini-dtls-record-modified-expected-order-to-ac.patch
45_04-Import-DTLS-sliding-window-validation-from-OpenConne.patch
Closes: #835587

 -- Anders Kaseorg   Sun, 18 Sep 2016 08:03:47 -0400

** Changed in: gnutls28 (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1624856

Title:
  Regressions in GnuTLS 3.5.3 break OpenConnect

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

2016-09-20 Thread Mathew Hodson

** Changed in: gnutls28 (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1624856

Title:
  Regressions in GnuTLS 3.5.3 break OpenConnect

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

2016-09-20 Thread Marc Deslauriers

Debdiff looks good, uploaded. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1624856

Title:
  Regressions in GnuTLS 3.5.3 break OpenConnect

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

2016-09-18 Thread Bug Watch Updater

** Changed in: gnutls28 (Debian)
   Status: Unknown => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1624856

Title:
  Regressions in GnuTLS 3.5.3 break OpenConnect

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

2016-09-18 Thread Anders Kaseorg

** Patch added: "full merge from Debian (3.5.3-4ubuntu1 → 3.5.4-2ubuntu1)"
   
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/+attachment/4743050/+files/gnutls28_3.5.3-4ubuntu1_3.5.4-2ubuntu1.debdiff

** Tags added: patch

** Tags added: patch-accepted-debian

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1624856

Title:
  Regressions in GnuTLS 3.5.3 break OpenConnect

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

2016-09-18 Thread Anders Kaseorg

** Patch added: "minimal patch"
   
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/+attachment/4743049/+files/gnutls28_3.5.3-4ubuntu1_3.5.3-5ubuntu1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1624856

Title:
  Regressions in GnuTLS 3.5.3 break OpenConnect

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1624856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

[Bug 1624856] Re: Regressions in GnuTLS 3.5.3 break OpenConnect

7 matches

Site Navigation

Mail list logo

Footer information