SSL read error: Success when DTLS is on

Siyuan Ren netheril96 at gmail.com
Tue Mar 28 19:03:28 PDT 2017


Recently the openconnect client on my machine stops working with DTLS
on. It constantly displays "SSL read error: Success.; reconnecting."
which is rather confusing.

My machine is a MacBook Pro (Retina, 15-inch, Late 2013) with macOS
Sierra 10.12.4 (16E195). `openconnect` is installed by `homebrew` at
/usr/local with default options. Both bottle and build-from-source
have been tried. The server is run by ocserv 0.11.7 on Debian jessie.
Connecting without DTLS or with Cisco Anyconnect iOS client work fine.
Connecting via IPv4 or IPv6 show the same error on macOS, and the same
success with Cisco Anyconnect.

Following is the full log output when connecting to my server until I
interrupted it since it was constantly reconnecting.



POST https://[2604:180:2:3d0::cad4]/
Attempting to connect to server [2604:180:2:3d0::cad4]:443
Connected to [2604:180:2:3d0::cad4]:443
Using certificate file Codes/utilities/user.pem
Using client certificate '166F57A07AAF'
SSL negotiation with [2604:180:2:3d0::cad4]
Server certificate verify failed: signer not found

Certificate from VPN server "[2604:180:2:3d0::cad4]" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert
sha256:b011eb008232ca19ca91aa021c9528622e2d3e31db5f476b9300a5f988fa1cec
Enter 'yes' to accept, 'no' to abort; anything else to view: Connected
to HTTPS on [2604:180:2:3d0::cad4]
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT;
path=/; Secure
Content-Type: text/xml
Content-Length: 326
X-Transcend-Version: 1
HTTP body length:  (326)
XML POST enabled
Please select your group.
Group: [126B1E4F]:126B1E4F
POST https://[2604:180:2:3d0::cad4]/auth
SSL negotiation with [2604:180:2:3d0::cad4]
Server certificate verify failed: signer not found
Connected to HTTPS on [2604:180:2:3d0::cad4]
Got HTTP response: HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 189
X-Transcend-Version: 1
Set-Cookie: webvpncontext=Hcchv70NnzKBxB9Z/qX8pQvuHp2gYFbOsqkbZmzEarA=; Secure
Set-Cookie: webvpn=<elided>; Secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:94F53E0A4DC32A7FEB1BCC1DA725C8559E974FC6;
path=/; Secure
HTTP body length:  (189)
XML POST enabled
SSL negotiation with [2604:180:2:3d0::cad4]
Server certificate verify failed: signer not found
Connected to HTTPS on [2604:180:2:3d0::cad4]
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.11.7
X-CSTP-DPD: 90
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 10.44.3.212
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-DNS: 8.8.4.4
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172811
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172821
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-App-ID: 275fe196b335e06ddda1cfeb8eb0c9d3aa1af816a9bdae21ac09901110de4902
X-DTLS-CipherSuite: PSK-NEGOTIATE
X-CSTP-Base-MTU: 1406
X-CSTP-MTU: 1320
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
DTLS option X-DTLS-DPD : 90
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Rekey-Time : 172821
DTLS option X-DTLS-Rekey-Method : ssl
DTLS option X-DTLS-Keepalive : 32400
DTLS option X-DTLS-App-ID :
275fe196b335e06ddda1cfeb8eb0c9d3aa1af816a9bdae21ac09901110de4902
DTLS option X-DTLS-CipherSuite : PSK-NEGOTIATE
DTLS initialised. DPD 90, Keepalive 32400
Connected as 10.44.3.212, using SSL
No work to do; sleeping for 1000 ms...
SSL read error: Success.; reconnecting.
SSL negotiation with [2604:180:2:3d0::cad4]
Server certificate verify failed: signer not found
Connected to HTTPS on [2604:180:2:3d0::cad4]
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.11.7
X-CSTP-DPD: 90
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 10.44.3.212
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-DNS: 8.8.4.4
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172817
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172827
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-App-ID: 7a530f599263464ffe2c2cb2fb53d781d0b364b2fafbfe91857fac54e04955de
X-DTLS-CipherSuite: PSK-NEGOTIATE
X-CSTP-Base-MTU: 1406
X-CSTP-MTU: 1320
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
No work to do; sleeping for 1000 ms...
SSL read error: Success.; reconnecting.
SSL negotiation with [2604:180:2:3d0::cad4]
Server certificate verify failed: signer not found
Connected to HTTPS on [2604:180:2:3d0::cad4]
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.11.7
X-CSTP-DPD: 90
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 10.44.3.212
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-DNS: 8.8.4.4
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172772
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172782
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-App-ID: 7e7ff8759adb47c36528875128887651dcef4064dc4b76e15350a1e375422e9f
X-DTLS-CipherSuite: PSK-NEGOTIATE
X-CSTP-Base-MTU: 1406
X-CSTP-MTU: 1320
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
No work to do; sleeping for 1000 ms...
SSL read error: Success.; reconnecting.
SSL negotiation with [2604:180:2:3d0::cad4]
Server certificate verify failed: signer not found
Connected to HTTPS on [2604:180:2:3d0::cad4]
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.11.7
X-CSTP-DPD: 90
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 10.44.3.212
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-DNS: 8.8.4.4
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172827
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172837
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-App-ID: 65b357083b9f83fb3e4417c48369be65190c624e218574bb6547750da7433453
X-DTLS-CipherSuite: PSK-NEGOTIATE
X-CSTP-Base-MTU: 1406
X-CSTP-MTU: 1320
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
No work to do; sleeping for 1000 ms...
SSL read error: Success.; reconnecting.
SSL negotiation with [2604:180:2:3d0::cad4]
Server certificate verify failed: signer not found
Connected to HTTPS on [2604:180:2:3d0::cad4]
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.11.7
X-CSTP-DPD: 90
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 10.44.3.212
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-DNS: 8.8.4.4
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172786
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172796
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-App-ID: 1678fca823112807867d2ac11a23eb1549101c9da9b6af4e7e28fe4e16bf00c8
X-DTLS-CipherSuite: PSK-NEGOTIATE
X-CSTP-Base-MTU: 1406
X-CSTP-MTU: 1320
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
No work to do; sleeping for 1000 ms...
SSL read error: Success.; reconnecting.
SSL negotiation with [2604:180:2:3d0::cad4]
Server certificate verify failed: signer not found
Connected to HTTPS on [2604:180:2:3d0::cad4]
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.11.7
X-CSTP-DPD: 90
X-CSTP-Default-Domain: example.com
X-CSTP-Address: 10.44.3.212
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 8.8.8.8
X-CSTP-DNS: 8.8.4.4
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172775
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172785
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-App-ID: 49adf5a1a4ee1aaf031e92bf951811256fe788e81ba63f58716731e6bc25f788
X-DTLS-CipherSuite: PSK-NEGOTIATE
X-CSTP-Base-MTU: 1406
X-CSTP-MTU: 1320
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
No work to do; sleeping for 1000 ms...
SSL read error: Success.; reconnecting.



More information about the openconnect-devel mailing list