openconnect is using SSL instead of TLSv1.2 Protocol

David Woodhouse dwmw2 at
Wed Apr 8 05:28:30 PDT 2015

On Sat, 2015-04-04 at 10:22 +0200, Uwe Schreiber wrote:
> Hello,
> i'am using Ubuntu 14.04.2 with all the latest patches.
> I installed openconnect v7.06-7-gf2e8cd0 from GIT.
> I am trying to connect to a Juniper VPN, but i receive the message
> SSL connection failure: A TLS packet with unexpected length was
> received.
> I did a trace using Wireshark and have seen my client is sending a
> "Client Hello" using SSL as protocol.

Hm, that shouldn't happen. Were you building against GnuTLS or
OpenSSL? What version?

I did a quick test here. With GnuTLS (3.3.14) I'm definitely seeing it
use TLSv1.2. With OpenSSL (1.0.1k) it uses TLSv1.0.

If I change the TLSv1_client_method() to SSLv23_client_method() at
around line 1401 of openssl,c, *then* it sends a ClientHello for
TLSv1.2. But I think we'd want to explicitly prevent it from actually
allowing anything older than TLSv1.0.

I remember there being odd firewall issues with later protocols, but I
suspect that's all caused by the stupid F5 firewalls with packet size
issues which should be handled now.

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list