Trying to build openconnect 8.20 on ubuntu 20

[Daniel Lenski]

On Mon, Mar 14, 2022 at 3:41 AM Dimitri Papadopoulos Orfanos
<dimitri.papadopoulos at cea.fr> wrote:
> I guess libgnutls28-dev was initially missing. By installing it, your
> build switched to GnuTLS, which appears to support the broken Cisco DTLS
> version, unlike OpenSSL version 1.1.1f (the version shipping with Ubuntu
> 20.04).
>
> So it's really an issue of building against OpenSSL vs. GnuTLS. It's
> definitely worth documenting the OpenSSL 1.1.1f issue here:
> - https://www.infradead.org/openconnect/anyconnect.html
> -
> https://gitlab.com/openconnect/openconnect/-/blob/master/openssl-dtls.c#L774-784

Exactly.

Without a bit more investigation, I'm hesitant to categorically state
that 1.1.1f is buggy (rather than "1.1.1f as distributed by Ubuntu"),
because the support for "Cisco/pre-1.0 DTLS" seems to get broken
inadvertently so often, due to being the most unloved and obscure
variant of TLS/DTLS around.

By the way, our error message links to
http://rt.openssl.org/Ticket/Display.html?id=2984, which appears to be
a bug tracker that no longer exists and isn't cached by Wayback
Machine 🤦🏻‍♂️.

@dwmw2, are there any more details on that ticket that you
still have? Perhaps details on *when/where/how* the OpenSSL support
for "Cisco/pre-1.0 DTLS" was broken?

> By the way, the above documentation still refers to patching and
> rebuilding OpenSSL 0.9.8, 1.0.0, 1.0.1. Perhaps we should consider
> retiring that part of the documentation, as versions 0.9.8, 1.0.0, 1.0.1
> have reached EOL. Only 1.0.2 benefits from extended support. While the
> source code should probably support prior versions, the documentation
> should instead recommend patching/building supported versions of OpenSSL
> (> 1.1.1 with regular support and 1.0.2 with extended support):
>         https://www.openssl.org/policies/releasestrat.html

Agreed.