Diagnosing error "SSL read error: The TLS connection was non-properly terminated"

John Hendy jw.hendy at gmail.com
Thu Apr 17 17:23:37 PDT 2014 

On Thu, Apr 17, 2014 at 6:18 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
> On Thu, Apr 17, 2014 at 2:29 PM, John Hendy <jw.hendy at gmail.com> wrote:
>> I finally got openconnect to work with my company's Cisco VPN system
>> via some various help from the web and a co-worker on setting up a
>> csd-wrapper. However, I'm getting constant disconnection/reconnection
>> behaviors. Here's the output from my recent session:
>> - http://pastebin.com/wyHTzjwR
>>
>> That error is generated every few seconds. One internal site seems to
>> go on operating reasonably fine (though very slow), while my company
>> mail client (browser-based) won't send any emails and requests
>> frequent re-authentication.
>>
>> Here's the ~/.cisco/csd-wrapper.sh script used:
>
> I would not expect the CSD wrapper to interfere with a connection that
> has already been established.  It should be a one-shot deal,
> pre-logon.
>
> Can you confirm that cstub isn't running in the background while the
> connection is up?

I'm vpn'd in right now, and did `ps ax | grep -i cstub` with no hits.
Just in case, though, I did `ps as | grep -i cs` and get a hit for
cscan:

8731 pts/0    S+     0:00 sudo openconnect --csd-wrapper
/home/jwhendy/.cisco/csd-wrapper.sh --csd-user jwhendy gra.3m.com
8732 pts/0    S+     0:00 openconnect --csd-wrapper
/home/jwhendy/.cisco/csd-wrapper.sh --csd-user jwhendy gra.3m.com
8733 pts/0    Z+     0:00 [csd-wrapper.sh] <defunct>
8757 pts/0    S+     0:00 /home/jwhendy/.cisco/hostscan/bin/cscan

It looks like what you thought: csd-wrapper gets run and then stops
(when I quit openconnect, that defunct entry goes away). I also
noticed that when re-checking after being vpn'd for ~10min (with
openconnect still going), the cscan entry wasn't there anymore,
either. I quit and restarted openconnect and it looks like it ran for
~1min.

>> Is this the case of a simple openconnect argument I'm not using/need
>> to specify or something else? Consider me completely ignorant with
>> respect to network/tunneling/etc., but I'm happy to collect any other
>> information suggested and post back. This is what seemed obvious to
>> start with, and I couldn't find any hits for the exact error I'm
>> getting. In fact, searching google for the exact phrase "SSL read
>> error: The TLS connection was non-properly terminated" only gets me
>> the pastebin I just posted.
>>
>> Is this an error message specific to my company, or should these
>> messages be standard across all of them?
>
> The error corresponds to GNUTLS_E_PREMATURE_TERMINATION
>
> I think this means that we were expecting to read a TLS record, but
> the connection was unexpectedly closed.  You could check this with
> tcpdump/wireshark and see if there is a TCP RST originating from the
> other side.
>

I've got tcpdump running with `tcpdump -i wlan0`, but (of course), I
can't get the issue to replicate now. I was at a coffee shop earlier
and am now at home, but it's happened at home as well, so perhaps I
just need to wait and then post back. Not having done this before,
would I just copy the output of tcpdump here near the time the SSL
errors are occurring? Is there any sensitive information from that I
need to redact? Current output looks like this (sorry for
over-censoring...):

19:09:01.574979 IP xxx.com.https > bigBang.60453: Flags [P.], seq
xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx],
length 1429
19:09:01.575013 IP xxx.com.https > bigBang.60453: Flags [P.], seq
xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx],
length 229
19:09:01.575028 IP bigBang.60453 > xxx.com.https: Flags [.], ack xxx,
win xxx, options [nop,nop,TS val xxx ecr xxx], length 0
19:09:01.594260 IP xxx.com.https > bigBang.60453: Flags [.], ack xxx,
win xxx, options [nop,nop,TS val xxx ecr xxx], length 0
19:09:01.594293 IP bigBang.60453 > xxx.com.https: Flags [P.], seq
xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx],
length 170
19:09:01.620287 IP xxx.com.https > bigBang.60453: Flags [.], ack xxx,
win xxx, options [nop,nop,TS val xxx ecr xxx], length 0
19:09:01.691203 IP xxx.com.https > bigBang.60453: Flags [P.], seq
xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx],
length 101
19:09:01.730066 IP bigBang.60453 > xxx.com.https: Flags [.], ack xxx,
win xxx, options [nop,nop,TS val xxx ecr xxx], length 0
19:09:02.099072 IP bigBang.60453 > xxx.com.https: Flags [P.], seq
xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx],
length 309
19:09:02.128060 IP xxx.com.https > bigBang.60453: Flags [.], ack xxx,
win xxx, options [nop,nop,TS val xxx ecr xxx], length 0

I'll pass along this info for now, and will just let openconnect run
until if and when it starts reconnecting, posting back with tcpdump
output. I also plan to remove my current version and install the git
version from Arch's AUR:
- https://aur.archlinux.org/packages/openconnect-git/

I'll try and reproduce the issue with that version and also report
back on the results.

> What versions of openconnect and GnuTLS are you running?  Have you
> tried upgrading?

Garsh. I'm realizing that what I thought was a decent first email
lacked some critical information... sorry!

Arch Linux, x86_64

$ uname -a
Linux bigBang 3.14.1-1-ARCH #1 SMP PREEMPT Mon Apr 14 20:40:47 CEST
2014 x86_64 GNU/Linux

$ sudo pacman -Qi openconnect     # Arch's versioning... which appears
different than the below
Name           : openconnect
Version        : 1:5.03-1
Description    : Open client for Cisco AnyConnect VPN
Architecture   : x86_64
URL            : http://www.infradead.org/openconnect.html
Licenses       : GPL
Groups         : None
Provides       : None
Depends On     : libxml2  gnutls  libproxy  vpnc
Optional Deps  : None
Required By    : None
Optional For   : None
Conflicts With : None
Replaces       : None
Installed Size : 1157.00 KiB
Packager       : Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
Build Date     : Wed 26 Feb 2014 12:34:44 AM CST
Install Date   : Wed 26 Mar 2014 08:13:19 PM CDT
Install Reason : Explicitly installed
Install Script : No
Validated By   : Signature

$ openconnect --version
OpenConnect version v5.03
Using GnuTLS. Features present: PKCS#11, DTLS

$ sudo pacman -Q | grep gnutls
gnutls 3.3.0-1


Many thanks for the quick reply,
John


P.S. Probably not the place to do this, but since the page welcomes
updates... the list of available packages page could be updated to
list Arch Linux.
- http://www.infradead.org/openconnect/packages.html

Something like (to steal from Fedora's entry):

Arch Linux
- Both openconnect and network-manager-openconnect packages are
included in the Arch Linux extra repository. Install with `# pacman -S
openconnect` or `# pacman -S network-manager-openconnect`. (Whether or
not they are truly up to date would be openconnect's call; the current
version is 5.03, but I see 5.99 is out. Then again, the package is
flagged out of date, so it should be updated soon:
https://www.archlinux.org/packages/?name=openconnect.)

More information about the openconnect-devel mailing list