SSL read error: Success
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Wed May 17 23:29:20 PDT 2017
On Thu, May 18, 2017 at 8:19 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> On Wed, May 17, 2017 at 10:59 PM, Yuri <me at koshaq.net> wrote:
>> Hi there.
>>
>> We're using openconnect 7.08 on Arch Linux and the server is running ocserv.
>> Server:
>>
>> Debian jessie, ocserv 0.11.6
>> I noticed that when I connect from this particular Arch machine, DTLS
>> wouldn't work. I also tried recompiling openconnect with OpenSSL, but
>> ultimately I see the same output at the server. Connecting without
>> DTLS works fine, though.
>
> [...]
>
>> And on the server I see:
>> May 17 15:00:38 test-vpngw02 ocserv[1914]: worker[username]:
>> IP.ADD.RE.SS worker-vpn.c:236: could not set TLS priority:
>> 'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL':
>> The request is invalid.
>
> As indicated above, the error is on the server. My guess is that if
> jessie is on 3.3.8 the -VERS-ALL is not available, and that's why it
> complains.
> You can verify by checking the output of:
> gnutls-cli -l --priority
> 'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL'
That patch is needed for debian/jessie:
https://gitlab.com/ocserv/ocserv/commit/89ba65922af1c9e34403b4605349729de3a34391
I'd suggest to move that to debian bug tracker.
regards,
Nikos
More information about the openconnect-devel
mailing list