OpenConnect Cipher issue

Claus-Peter Käpplinger kaepplinger at b1-systems.de
Tue Dec 10 13:58:21 PST 2024 

Hey there,


I am sending an email because open connect told me so haha.

I just want to run the corporate VPN via NetworkManager and the 
OpenConnect plugin but I suppose because of this issue it doesn't work.

Using the gnutls-priority argument also only partly works, because I am 
unable to come up with a quick solution to do a split tunnel and then 
just lose my connection to the "regular" internet.


Reviewing the diff between both outputs, it seems that I updated my 
system somehow to use TLS1.3 but the server doesn't support it?
This issue is also being already reported here; 
https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/127



Here are the command outputs:

running with 
`--gnutls-priority="NORMAL:-VERS-ALL:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA1"`
```
╰─❯ sudo bash vpn.sh
WARNING: You specified --gnutls-priority. This should not be
          necessary; please report cases where a priority string
          override is necessary to connect to a server
          to <openconnect-devel at lists.infradead.org>.
POST https://vpn-xx.xx.xx/
Connected to xxx.xxx.xx.222:443
SSL negotiation with vpn-xx.xx.xx
Connected to HTTPS on vpn-xx.xx.xx with ciphersuite 
(TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA256)-(AES-256-GCM)
XML POST enabled
Please enter your username and password.
POST https://vpn-xx.xx/
Please enter the TOTP code generated on your device
Response:
POST https://vpn-xx.xx/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 2, Keepalive 20
Established DTLS connection (using GnuTLS). Ciphersuite 
(DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Configured as 10.252.0.103, with SSL connected and DTLS connected
Session authentication will expire at Wed Dec 11 22:12:11 2024

Using vhost-net for tun acceleration, ring size 32
```

running without it
```
╰─❯ sudo bash vpn.sh
POST https://vpn-xx.xx.xx/
Connected to xxx.xxx.xx.222:443
SSL negotiation with vpn-xx.xx.xx
Connected to HTTPS on vpn-xx.xx.xx with ciphersuite 
(TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-128-GCM)
XML POST enabled
Please enter your username and password.
POST https://vpn-xx.xx/
Please enter the TOTP code generated on your device
Response:
POST https://vpn-xx.xx.xx/
Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Creating SSL connection failed
Cookie was rejected by server; exiting.
```


```
╰─❯ openconnect --version
OpenConnect version v9.12
Using GnuTLS 3.8.6. Features present: PKCS#11, RSA software token, HOTP 
software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, 
array
Default vpnc-script (override with --script): 
/nix/store/lr3qc5xqbjph3nrcrik5b8gxrfq44mhn-vpnc-scripts-unstable-2023-01-03/bin/vpnc-script
```


If I can provide any more infos, please feel free to instruct me on how to.


Best wishes,
Claus
-- 
Claus-Peter Käpplinger
Linux / Unix Consultant & Developer
Tel.: +49 160 7713661
E-Mail: kaepplinger at b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / https://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt, HRB 3537

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20241210/14a29260/attachment.sig>

More information about the openconnect-devel mailing list