How to set TLSv1.2 when using openconnect client

Kevin Cernekee cernekee at gmail.com
Sat Jun 11 08:32:15 PDT 2016


On Sat, Jun 11, 2016 at 3:47 AM, Shen Alex <alex.51cto at gmail.com> wrote:
> When I install openconnect client on cento6.5 and try to connect to
> ocserv(disable sslv3). It shows:
>
> attempting to connect to server x.x.x.x:443
> SSL negotiation with xxxxxxxxxxxxxxxxxxxxxx
> SSL connection failure
> 139933011761000:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number:s3_pkt.c:339:
> Failed to open HTTPS connection to xxxxxxxxxxxxxxxxxx
> GET https://xxxxxxxxxxxxxxxxx/
> Attempting to connect to server x.x.x.x:443
> SSL negotiation with xxxxxxxxxxxxxxxxxxxxxxx
> SSL connection failure
> 139933011761000:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number:s3_pkt.c:339:
> Failed to open HTTPS connection to xxxxxxxxxxxxxxxx
> Failed to obtain WebVPN cookie
>
> I want to set ssl version manually.(like "curl -1","openssl -tls1",etc.)
> But I couldn't find any settings about it in "man openconnect".

Hmm, this seems to be hardcoded in openssl.c:

    ssl3_method = TLSv1_client_method();
    if (!vpninfo->https_ctx) {
        vpninfo->https_ctx = SSL_CTX_new(ssl3_method);

If you change TLSv1_client_method() to TLS_client_method(), does that fix it?

(Not sure if that has any impact on ASA compatibility, or
compatibility with older OpenSSL versions.)



More information about the openconnect-devel mailing list