openconnect is using SSL instead of TLSv1.2 Protocol

Uwe Schreiber uwe.h.schreiber at t-online.de
Thu Apr 9 01:01:16 PDT 2015


I was building with and without GnuTLS without any difference.
OpenSSL was on version 1.0.1f and GnuTLS was on version 3.0.21.

After updating my system to Ubuntu 14.10 openconnect is working as
expected.
Now GnuTLS is on version 3.2.16 and OpenSSL is stoll on version 1.0.1f


On Wed, 2015-04-08 at 13:28 +0100, David Woodhouse wrote:
> On Sat, 2015-04-04 at 10:22 +0200, Uwe Schreiber wrote:
> > Hello
> ,
> > 
> > i'am using Ubuntu 14.04.2 with all the latest patches.
> > 
> > I installed openconnect v7.06-7-gf2e8cd0 from GIT.
> > I am trying to connect to a Juniper VPN, but i receive the message
> > 
> > SSL connection failure: A TLS packet with unexpected length was
> > received.
> > 
> > I did a trace using Wireshark and have seen my client is sending a
> > "Client Hello" using SSL as protocol.
> 
> Hm, that shouldn't happen. Were you building against GnuTLS or
> OpenSSL? What version?
> 
> I did a quick test here. With GnuTLS (3.3.14) I'm definitely seeing it
> use TLSv1.2. With OpenSSL (1.0.1k) it uses TLSv1.0.
> 
> If I change the TLSv1_client_method() to SSLv23_client_method() at
> around line 1401 of openssl,c, *then* it sends a ClientHello for
> TLSv1.2. But I think we'd want to explicitly prevent it from actually
> allowing anything older than TLSv1.0.
> 
> I remember there being odd firewall issues with later protocols, but I
> suspect that's all caused by the stupid F5 firewalls with packet size
> issues which should be handled now.
> 





More information about the openconnect-devel mailing list