SSL connection failure: Error in the pull function.
michael.haubenwallner at ssi-schaefer.com
Fri Sep 8 02:11:57 PDT 2017
On 04/08/2016 11:21 PM, Nikos Mavrogiannopoulos wrote:
> On Fri, 2016-04-08 at 10:48 -0700, Chad Bishop wrote:
>> We recently updated our vpn server to "use a more secure version of
>> TLS"...at least that's what I'm told. In doing so, I'm now unable to
>> make a connection using openconnect on Fedora 20.
>> The command I'm using is:
>> sudo openconnect [IP] --no-cert-check
>> The only output I get is:
>> POST [IP]
>> Attempting to connec to server [IP]
>> SSL negotiation with [IP]
>> SSL connection failure: Error in the pull function.
>> Failed to open HTTPS connection to [IP]
>> Failed to obtain WebVPN cookie
Same problem here when using GnuTLS 3.5.13,
but there is no problem with GnuTLS 3.3.26.
> The server is closing the connection for some reason. Have you tried
> connecting to it using openssl s_client and gnutls-cli? What is the
> output? Can you share its IP?
The difference in the output of gnutls-cli-debug [IP] is:
$ diff -U0 gnutls-3.*
@@ -1 +1 @@
-GnuTLS debug client 3.3.26
+GnuTLS debug client 3.5.13
@@ -11,0 +12,2 @@
+ fallback from TLS 1.6 to... TLS1.2
+ for inappropriate fallback (RFC7507) support... yes
@@ -14,0 +17,2 @@
+ for encrypt-then-MAC (RFC7366) support... no
+ for ext master secret (RFC7627) support... no
@@ -19 +23 @@
- whether small records (512 bytes) are accepted... yes
+whether small records (512 bytes) are tolerated on handshake... yes
@@ -26,0 +31,4 @@
+ for curve SECP256r1 (RFC4492)... no
+ for curve SECP384r1 (RFC4492)... no
+ for curve SECP521r1 (RFC4492)... no
+ for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no
@@ -27,0 +36,2 @@
+ for AES-128-CCM cipher (RFC6655) support... no
+ for AES-128-CCM-8 cipher (RFC6655) support... no
@@ -32,0 +43 @@
+ for CHACHA20-POLY1305 cipher (RFC7905) support... no
Anything else I should compare to identify the problem?
More information about the openconnect-devel