Diagnosing error "SSL read error: The TLS connection was non-properly terminated"

John Hendy jw.hendy at gmail.com
Thu Apr 17 18:46:05 PDT 2014 

On Thu, Apr 17, 2014 at 8:01 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
> On Thu, Apr 17, 2014 at 5:23 PM, John Hendy <jw.hendy at gmail.com> wrote:
>> It looks like what you thought: csd-wrapper gets run and then stops
>> (when I quit openconnect, that defunct entry goes away). I also
>> noticed that when re-checking after being vpn'd for ~10min (with
>> openconnect still going), the cscan entry wasn't there anymore,
>> either. I quit and restarted openconnect and it looks like it ran for
>> ~1min.
>
> Well, just to rule it out, you can try the attached csd.sh (which
> skips running the trojan).  You'll need the curl utility installed to
> POST the policy info to the gateway.

$ sudo pacman -Q | grep curl
curl 7.36.0-1

I can't connect with that script -- my credentials get denied and
there's a message to contact my company IT Help Desk. If I recall
correctly, I used to get that message when trying with the anyconnect
client if I hadn't started the /etc/rc.d/hostscan service.

>> $ sudo pacman -Qi openconnect     # Arch's versioning... which appears
>> different than the below
>> Name           : openconnect
>> Version        : 1:5.03-1
>> Description    : Open client for Cisco AnyConnect VPN
>> Architecture   : x86_64
>> URL            : http://www.infradead.org/openconnect.html
>> Licenses       : GPL
>
> This should probably say LGPLv2.1.

I couldn't figure out how to contact the maintainer or packager for
the package, so I just submitted a bug report with the correct
information to let them know:
- https://bugs.archlinux.org/task/39927

>> $ openconnect --version
>> OpenConnect version v5.03
>> Using GnuTLS. Features present: PKCS#11, DTLS
>>
>> $ sudo pacman -Q | grep gnutls
>> gnutls 3.3.0-1
>
> When I saw your pastebin I wondered whether it was an old build that
> didn't have DTLS compiled in.  But that doesn't seem to be the case.
> So your client supports DTLS but you're getting a TLS-only connection
> for some reason.
>
> On a public wifi network I would worry about packet loss / congestion,
> and maybe timeouts on long lived TCP sessions.  DTLS would help with
> all of those.
>
> Could you post the result from connecting with "openconnect -v" so we
> can see if the gateway has DTLS disabled?

Here's the verbose output using the csd-wrapper.sh I posted earlier:
- http://pastebin.com/5ZcNpUuj

I terminated it shortly after initiating, as the stuff at the very end
looked to just be repeating at rapid pace. I can re-run a failed
attempt with your csd.sh if that would be useful.


Best regards,
John

More information about the openconnect-devel mailing list