openconnect is using SSL instead of TLSv1.2 Protocol

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2015-04-04 at 10:22 +0200, Uwe Schreiber wrote:
> Hello,
> 
> i'am using Ubuntu 14.04.2 with all the latest patches.
> 
> I installed openconnect v7.06-7-gf2e8cd0 from GIT.
> I am trying to connect to a Juniper VPN, but i receive the message
> 
> SSL connection failure: A TLS packet with unexpected length was
> received.
> 
> I did a trace using Wireshark and have seen my client is sending a
> "Client Hello" using SSL as protocol.

Hm, that shouldn't happen. Were you building against GnuTLS or
OpenSSL? What version?

I did a quick test here. With GnuTLS (3.3.14) I'm definitely seeing it
use TLSv1.2. With OpenSSL (1.0.1k) it uses TLSv1.0.

If I change the TLSv1_client_method() to SSLv23_client_method() at
around line 1401 of openssl,c, *then* it sends a ClientHello for
TLSv1.2. But I think we'd want to explicitly prevent it from actually
allowing anything older than TLSv1.0.

I remember there being odd firewall issues with later protocols, but I
suspect that's all caused by the stupid F5 firewalls with packet size
issues which should be handled now.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150408/d8eba68b/attachment.bin>


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux