openconnect is using SSL instead of TLSv1.2 Protocol
David Woodhouse
dwmw2 at infradead.org
Wed Apr 8 05:28:30 PDT 2015
On Sat, 2015-04-04 at 10:22 +0200, Uwe Schreiber wrote:
> Hello,
>
> i'am using Ubuntu 14.04.2 with all the latest patches.
>
> I installed openconnect v7.06-7-gf2e8cd0 from GIT.
> I am trying to connect to a Juniper VPN, but i receive the message
>
> SSL connection failure: A TLS packet with unexpected length was
> received.
>
> I did a trace using Wireshark and have seen my client is sending a
> "Client Hello" using SSL as protocol.
Hm, that shouldn't happen. Were you building against GnuTLS or
OpenSSL? What version?
I did a quick test here. With GnuTLS (3.3.14) I'm definitely seeing it
use TLSv1.2. With OpenSSL (1.0.1k) it uses TLSv1.0.
If I change the TLSv1_client_method() to SSLv23_client_method() at
around line 1401 of openssl,c, *then* it sends a ClientHello for
TLSv1.2. But I think we'd want to explicitly prevent it from actually
allowing anything older than TLSv1.0.
I remember there being odd firewall issues with later protocols, but I
suspect that's all caused by the stupid F5 firewalls with packet size
issues which should be handled now.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150408/d8eba68b/attachment.bin>
More information about the openconnect-devel
mailing list