Copying from what I wrote on the openconnect-devel mailing list… Nikos's proposed fix is to change "-VERS-TLS-ALL:+VERS-TLS1.0" to "-VERS-SSL3.0".
It's useful to consider the total set of possible effects of this change on Ubuntu 14.04's openconnect: 1) Good: Fixes the incompatibility reported here, allowing it to connect to gateways that require TLS1.1 or TLS1.2. 2) Neutral: No effect on ancient gateways that only support SSLv3 (insecure, already locked out). 3) Neutral: No effect on ancient gateways that only support TLS1.0 (still possible to connect). 4) Bad: May prevent connections to TLS-version-intolerant (aka "broken") servers and middleboxes which support TLS1.0 but fail to correctly negotiate down to it when presented with TLS1.1/1.2 ClientHellos. The upside (1) is pretty obvious and clear, because lots of newer gateways simply refuse TLS1.0 these days. The downside (4) is harder to estimate… I don't think there are too many TLS1.0-only version-intolerant middleboxes out there these days because they would be breaking pretty much all the modern clients with the misfortune to go through them. And I don't think I've ever seen a report on the mailing list of a TLS1.0-only version-intolerant Cisco ASA. Basically, this change would vastly improve compatibility with newer gateways that refuse TLS1.0… and it would *only* reduce compatibility with really obsolete middleboxes that are intolerant to TLS1.1 and newer. I doubt that many such middleboxes still exist on the public Internet, because they would be breaking most modern clients. So I'm in favor. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1783610 Title: Openconnect fails to connect to VPN servers which blacklist TLS 1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1783610/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
