OpenConnect v9.12-125-g0e357726: launch fails with "SSL connection failure: The encryption algorithm is not supported."

Wolfgang 'datenwolf' Draxinger list at datenwolf.net
Wed Jul 3 03:22:55 PDT 2024 

Hi,

the version installed on my system:

> #loki: ~root/ #> openconnect -V
OpenConnect version v9.12-125-g0e357726
Using GnuTLS 3.8.5. Features present: TPM, PKCS#11, RSA software
token, HOTP software token, TOTP software token, Yubikey OATH,
System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5,
fortinet, array
Default vpnc-script (override with --script):
/etc/sv/openconnect/vpnc-script

I have a configuration that used to work just fine. However, it
seems that there was some update/change on the endpoint, which is
not yet supported by OpenConnect:

> #loki: /etc/sv/openconnect_UzL #> bat run
> ───────┬──────────────────────────────────────────────────────────
>        │ File: run
> ───────┼──────────────────────────────────────────────────────────
>    1   │ #!/bin/sh
>    2   │ [ -r conf ] && . ./conf
>    3   │ exec openconnect \
>    4   │     --protocol=pulse -i tunUzL \
>    5   │     -s /etc/sv/openconnect_UzL/script \
>    6   │     -u $USER --passwd-on-stdin $SERVER \
>    7   │     -v -v -v < pass 2>&1
> ───────┴──────────────────────────────────────────────────────────
> 
> #loki /etc/sv/openconnect_UzL #> bat conf
> ───────┬──────────────────────────────────────────────────────────
>        │ File: conf
> ───────┼──────────────────────────────────────────────────────────
>    1   │ SERVER=sslgate.uni-luebeck.de 
>    2   │ USER=...
> ───────┴──────────────────────────────────────────────────────────
> 
> # loki /etc/sv/openconnect_UzL #> ./run
> Attempting to connect to server 141.83.44.44:443
> Connected to 141.83.44.44:443
> SSL negotiation with sslgate.uni-luebeck.de
> SSL connection failure: The encryption algorithm is not supported.
> Failed to complete authentication

The failure happens before authentication is attempted, and can be
replicated with a bogus username just as well. I'm not suggesting to
"spam" the server I had configured for testing, but I guess whoever
who's looking into this could run a small number of tests against
it.

Opening a connection using openssl-s_client completes the TLS
negotiation:

> # loki ~dw/ %> openssl s_client sslgate.uni-luebeck.de:443
> Connecting to 141.83.44.44
> depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
> Network, CN=USERTrust RSA Certification Authority
> verify return:1
> depth=1 C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4
> verify return:1
> depth=0 C=DE, ST=Schleswig-Holstein, O=Universität zu Lübeck,
> CN=sslgate.uni-luebeck.de
> verify return:1
> CONNECTED(00000003)
> ---
> Certificate chain
>  0 s:C=DE, ST=Schleswig-Holstein, O=Universität zu Lübeck,
> CN=sslgate.uni-luebeck.de
>    i:C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4
>    a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384
>    v:NotBefore: Oct  6 00:00:00 2023 GMT; NotAfter: Oct  5
> 23:59:59 2024 GMT
>  1 s:C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4
>    i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network,
> CN=USERTrust RSA Certification Authority
>    a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
>    v:NotBefore: Feb 18 00:00:00 2020 GMT; NotAfter: May  1
> 23:59:59 2033 GMT
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> ...
> -----END CERTIFICATE-----
> subject=C=DE, ST=Schleswig-Holstein, O=Universität zu Lübeck,
> CN=sslgate.uni-luebeck.de
> issuer=C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3961 bytes and written 776 bytes
> Verification: OK
> ---
> New, TLSv1.2, Cipher is AES256-GCM-SHA384
> Server public key is 3072 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : AES256-GCM-SHA384
>     Session-ID: ...
>     Session-ID-ctx: 
>     Master-Key: ...
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1720001913
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
> ---
> DONE


I hope that this has an easy fix.

Cheers,
Wolfgang

More information about the openconnect-devel mailing list