On Sat, 2015-04-04 at 10:22 +0200, Uwe Schreiber wrote: > Hello, > > i'am using Ubuntu 14.04.2 with all the latest patches. > > I installed openconnect v7.06-7-gf2e8cd0 from GIT. > I am trying to connect to a Juniper VPN, but i receive the message > > SSL connection failure: A TLS packet with unexpected length was > received. > > I did a trace using Wireshark and have seen my client is sending a > "Client Hello" using SSL as protocol. Hm, that shouldn't happen. Were you building against GnuTLS or OpenSSL? What version? I did a quick test here. With GnuTLS (3.3.14) I'm definitely seeing it use TLSv1.2. With OpenSSL (1.0.1k) it uses TLSv1.0. If I change the TLSv1_client_method() to SSLv23_client_method() at around line 1401 of openssl,c, *then* it sends a ClientHello for TLSv1.2. But I think we'd want to explicitly prevent it from actually allowing anything older than TLSv1.0. I remember there being odd firewall issues with later protocols, but I suspect that's all caused by the stupid F5 firewalls with packet size issues which should be handled now. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150408/d8eba68b/attachment.bin>
