SSL connection failure: Error in the pull function.

Michael Haubenwallner michael.haubenwallner at ssi-schaefer.com
Fri Sep 8 02:11:57 PDT 2017 

Hi,

On 04/08/2016 11:21 PM, Nikos Mavrogiannopoulos wrote:
> On Fri, 2016-04-08 at 10:48 -0700, Chad Bishop wrote:
>> Hello,
>>
>> We recently updated our vpn server to "use a more secure version of
>> TLS"...at least that's what I'm told.  In doing so, I'm now unable to
>> make a connection using openconnect on Fedora 20.
>>
>> The command I'm using is:
>>
>> sudo openconnect [IP] --no-cert-check
>>
>> The only output I get is:
>>
>> POST [IP]
>> Attempting to connec to server [IP]
>> SSL negotiation with [IP]
>> SSL connection failure: Error in the pull function.
>> Failed to open HTTPS connection to [IP]
>> Failed to obtain WebVPN cookie

Same problem here when using GnuTLS 3.5.13,
but there is no problem with GnuTLS 3.3.26.

> 
> The server is closing the connection for some reason. Have you tried
> connecting to it using openssl s_client and gnutls-cli? What is the
> output? Can you share its IP?

The difference in the output of gnutls-cli-debug [IP] is:

$ diff -U0 gnutls-3.*
--- gnutls-3.3.26-cli-debug.out
+++ gnutls-3.5.13-cli-debug.out
@@ -1 +1 @@
-GnuTLS debug client 3.3.26
+GnuTLS debug client 3.5.13
@@ -11,0 +12,2 @@
+                                  fallback from TLS 1.6 to... TLS1.2
+              for inappropriate fallback (RFC7507) support... yes
@@ -14,0 +17,2 @@
+                    for encrypt-then-MAC (RFC7366) support... no
+                   for ext master secret (RFC7627) support... no
@@ -19 +23 @@
-            whether small records (512 bytes) are accepted... yes
+whether small records (512 bytes) are tolerated on handshake... yes
@@ -26,0 +31,4 @@
+                             for curve SECP256r1 (RFC4492)... no
+                             for curve SECP384r1 (RFC4492)... no
+                             for curve SECP521r1 (RFC4492)... no
+           for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no
@@ -27,0 +36,2 @@
+                  for AES-128-CCM cipher (RFC6655) support... no
+                for AES-128-CCM-8 cipher (RFC6655) support... no
@@ -32,0 +43 @@
+            for CHACHA20-POLY1305 cipher (RFC7905) support... no

Anything else I should compare to identify the problem?

Thanks!
/haubi/

More information about the openconnect-devel mailing list