Segmentation fault when connecting to junosphere with 7.07 - works fine in 7.06

Tim Preston graywolfe at mac.com
Tue Sep 6 13:21:40 PDT 2016 

I’m using OpenConnect to connect to junosphere topologies. This works great in 7.06, but I seem to have a repeatable segmentation fault in 7.07

I’m using one of my FreeBSD hosts here. I can repeat this behaviour on different hosts, FreeBSD 10 & 11. I also get what looks like the same failure with 7.07 on CentOS 6.7. Unfortunately, I can’t find a way to easily roll that back to 7.06 to confirm (I’m *BSD at heart).

Let me know what information you need from me to investigate this further.


This is what I see when using 7.07
------
root at lucy:/usr/ports# uname -a
FreeBSD lucy.flibble.org 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297538: Mon Apr  4 14:33:48 UTC 2016     root at lucy.flibble.org:/usr/obj/usr/src/sys/GENERIC  amd64

root at lucy:/usr/ports/openconnect# openconnect -V
OpenConnect version v7.07
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP software token, TOTP software token, DTLS

root at lucy:/usr/ports/openconnect# openconnect --juniper https://sa7r.junosphere.net/
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://sa7r.junosphere.net/
Connected to 66.129.245.73:443
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate

Certificate from VPN server "sa7r.junosphere.net" failed verification.
Reason: unable to get local issuer certificate
Enter 'yes' to accept, 'no' to abort; anything else to view: yes 
Connected to HTTPS on sa7r.junosphere.net
Got HTTP response: HTTP/1.1 302 Found
GET https://sa7r.junosphere.net/dana-na/auth/url_default/welcome.cgi
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
frmLogin
username:<removed>
password:
POST https://sa7r.junosphere.net/dana-na/auth/url_default/login.cgi
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
Got HTTP response: HTTP/1.1 302 Moved
GET https://sa7r.junosphere.net/dana-na/auth/url_default/welcome.cgi?p=user-confirm&id=state_d92c3688663b4f88c055ef8afbc5dac7
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
POST https://sa7r.junosphere.net/dana-na/auth/url_default/login.cgi
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
Got HTTP response: HTTP/1.1 302 Moved
GET https://sa7r.junosphere.net/dana/home/starter0.cgi?check=yes
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
Segmentation fault (core dumped)
------

If I use portdowngrade to pull 7.06 from the ports tree svn repository and do a non-installed build of that then it works fine and I can access all my junosphere VMs over this.
------
root at lucy:/usr/ports/openconnect# work/openconnect-7.06/openconnect -V
OpenConnect version v7.06-unknown
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP software token, TOTP software token, DTLS

root at lucy:/usr/ports/openconnect# work/openconnect-7.06/openconnect --juniper https://sa7r.junosphere.net/
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://sa7r.junosphere.net/
Attempting to connect to server 66.129.245.73:443
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate

Certificate from VPN server "sa7r.junosphere.net" failed verification.
Reason: unable to get local issuer certificate
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on sa7r.junosphere.net
Got HTTP response: HTTP/1.1 302 Found
GET https://sa7r.junosphere.net/dana-na/auth/url_default/welcome.cgi
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
frmLogin
username:<removed>
password:
POST https://sa7r.junosphere.net/dana-na/auth/url_default/login.cgi
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
Got HTTP response: HTTP/1.1 302 Moved
GET https://sa7r.junosphere.net/dana-na/auth/url_default/welcome.cgi?p=user-confirm&id=state_b09ee759faf08cb5cc8150af9a792ef3
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
POST https://sa7r.junosphere.net/dana-na/auth/url_default/login.cgi
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
Got HTTP response: HTTP/1.1 302 Moved
GET https://sa7r.junosphere.net/dana/home/starter0.cgi?check=yes
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
SSL negotiation with sa7r.junosphere.net
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on sa7r.junosphere.net
add host 66.129.245.73: gateway 162.243.141.1
route: writing to routing socket: No such process
delete net 10.233.244.6: gateway 10.233.244.6 fib 0: not in table
add net 10.233.244.6: gateway 10.233.244.6
route: writing to routing socket: No such process
delete net 10.233.240.0: gateway 10.233.244.6 fib 0: not in table
add net 10.233.240.0: gateway 10.233.244.6
route: writing to routing socket: No such process
delete net 8.8.8.8: gateway 10.233.244.6 fib 0: not in table
add net 8.8.8.8: gateway 10.233.244.6
route: writing to routing socket: No such process
delete net 10.233.255.254: gateway 10.233.244.6 fib 0: not in table
add net 10.233.255.254: gateway 10.233.244.6
cp: /dev/null.bak: Operation not supported
Connected tun0 as 10.233.244.6, using SSL
ESP session established with server
------

CentOS details. I haven’t included the failure as it’s identical to the one on FreeBSD
------
[root at northstar ~]# uname -mrsv
Linux 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64

[root at northstar ~]# openconnect -V
OpenConnect version v7.07
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, DTLS
------

-- 
Tim Preston
graywolfe at mac.com

More information about the openconnect-devel mailing list