On 06/27/2016 02:38 PM, Matthieu Stigler wrote:

UC Davis does not offer anymore the browser-based vpn entry, so need to
use the "Pulse client" they provide:

Sort of. They provide a Juniper based VPN solution that multiple clients work with. Normally linux software is quite secure because it's:
* Compiled with current libraries and compilers
* Is 64 bit (for added page protection)
* In delivered with a package manager (so you get updates)
* Is included via a secure infrastructure
* Uses shared libraries, so you can fix any insecure dependencies
* is open source, follows best practices, etc.

Security critical things running as root and handling security related duties should be held to the highest possible standards.

Unfortunately the pulse client is the exact opposite. Probably one of the least secure binaries on your system. The linux pulse client:
* is just a random .deb download
* doesn't include a manifest with checksums
* isn't signed
* is 32 bit
* has known broken/insecure ssl libraries statically compiled in
* doesn't include any way to automatically get/detect available upgrades
* Seems unclear if it's getting any love at all, 32 bit is pretty old,
  ancient openssl bindings, and (AFAICT) they are no longer affiliated
  with Juniper.

So generally I recommend avoiding pulse if at all possible. The good news is that OpenConnect:
* Is compatible
* is 64 bit
* is open source
* is delivered by your package manager via secure/signed packages
* will automatically get updates (if turned on), or just apt update;
* uses current openssl libraries
* seems to work quite well

Unfortunately it's a bit tricky on older linux boxes, the main problem is that you need a fairly new openssl to get a library that A) doesn't have the security hole and B) emulates (securely) the old behavior to be compatible, but still avoids the security hole.

It pretty much "just works" with ubuntu-16.04.  Just run this:
  sudo apt install openconnect
  sudo /usr/sbin/openconnect --juniper vpn.library.ucdavis.edu

I brought this up with the library and they seem not to care about security and just want to support the pulse client. They did fix their SSL cert so you no longer have to blindly trust a random cert you download.

This could be this bug:

But what is strange is that it did work at some point...

I got it to work to verify things, but it was an ugly fragile hack. Try openconnect, on 12.04 you will likely have to install the newest version from source and possibly openssl as well.

Might be worth spinning up a ubuntu-16.04 vps/virtualbox/whatever just to tinker with how it works. Pretty sure the current fedora should work fine as well. Pretty sure someone mentioned it working on OSX as well.

vox-tech mailing list

Reply via email to