Trying to build openconnect 8.20 on ubuntu 20

Daniel Lenski dlenski at gmail.com
Tue Mar 15 17:08:00 PDT 2022


On Tue, Mar 15, 2022 at 12:12 PM Daniel Lenski <dlenski at gmail.com> wrote:
> This patch suggests that the "OpenSSL security level" could be the
> culprit: if the "OpenSSL security level is set to >=2, then vanilla
> OpenSSL 1.1.1f will allow old/bad/Cisco DTLS, but Debian/Ubuntu
> OpenSSL 1.1.1f will *not* allow it:

This thread confirms that the change was intentional in Ubuntu 20.04:
https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/5

> Contrary to the default in ubuntu 20.04 tls 1.0 and 1.1 are only allowed on security level <2 instead of <4. Also the default security level of 1 was raised to 2.

Furthermore, as of 1.1.1k, *Debian* picks up a similar patch:
https://sources.debian.org/patches/openssl/1.1.1k-1+deb11u1/

So both TLS <1.2 and DTLS <1.2 are disabled by default, and the
OpenSSL security level is set to 2 by default, in Ubuntu 20.04+ and
Debian sid. We'll have to warn users about this… yay. 🤦🏻‍♂️

Dan



More information about the openconnect-devel mailing list