ocserv 0.9.0.1 not doing TLS handshake

alemonmk at gmail.com (Lemon Lam) · Tue, 27 Jan 2015 01:21:43 +0800

Hi,

I installed ocserv 0.9.0.1 complied from offical source on a Debian 8.0
box. No connection can be made, as the server do not
respond to client hello message.

ocserv log:
> # ocserv -f -d 9999
> listening (TCP) on [2400:8900::f03c:91ff:fe70:9cad]:8443...
> listening (TCP) on 106.187.99.160:8443...
> listening (UNIX) on /var/run/ocserv-conn.socket...
> listening (UDP) on [2400:8900::f03c:91ff:fe70:9cad]:8443...
> listening (UDP) on 106.187.99.160:8443...
> ocserv[1331]: main: initializing control unix socket: /var/run/occtl.socket
> ocserv[1331]: main: initialized ocserv 0.9.0
> ocserv[1332]: sec-mod: sec-mod initialized (socket:
> /var/run/ocserv-socket.1331)
> ocserv[1331]: TLS[<3>]: ASSERT: common.c:1041
> ocserv[1332]: sec-mod: received request from pid 1331 and uid 0
> ocserv[1332]: sec-mod: cmd [size=55] sm: sign
> ocserv[1333]: worker: 60.246.138.215:48257 accepted connection
> ocserv[1333]: TLS[<5>]: REC[0x83b7aa0]: Allocating epoch #0
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_constate.c:586
> ocserv[1333]: TLS[<5>]: REC[0x83b7aa0]: Allocating epoch #1
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:1139
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:224
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:333
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:574
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_record.c:1058
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_record.c:1179
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:1392
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_handshake.c:1428
> ocserv[1333]: TLS[<3>]: ASSERT: gnutls_handshake.c:3092
> ocserv[1333]: GnuTLS error (at worker-vpn.c:349): Error in the push
> function.
> ocserv[1331]: main: 60.246.138.215:48257 main-misc.c:501: command socket
> closed
> ocserv[1331]: main: 60.246.138.215:48257 removing client '' with id '1333'!

Using openssl s_client on the same box yield the following:
> $ openssl s_client -connect kotone.priscatella.net:8443
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---

And gnutls-cli probe fails like this:
> # /usr/bin/gnutls-cli kotone.priscatella.net -p 8443
> Processed 147 CA certificate(s).
> Resolving 'kotone.priscatella.net'...
> Connecting to '2400:8900::f03c:91ff:fe70:9cad:8443'...
> *** Fatal error: Error in the pull function.
> *** Handshake has failed
> GnuTLS error: Error in the pull function.

OpenConnect for Android v1.02 shows:
> LIB: POST https://kotone.priscatella.net:8443/
> LIB: Attempting to connect to server 106.187.99.160:8443
> LIB: SSL negotiation with kotone.priscatella.net
> LIB: SSL connection failure: The TLS conection was non-properly terminated.
> LIB: Failed to open HTTPS connection to kotone.priscatella.net
> Error obtaining cookie
> VPN terminated with errors

Cisco AnyConnect ICS+ 4.0.01196 fails too.

ocserv.conf(only listed what I've modified):
> auth="plain[/etc/ocserv/ocpasswd]"
> max-clients = 16
> max-same-client = 4
> tcp-port = 8443
> udp-port = 8443
> try-mtu-discovery = true
> server-cert = /etc/ssl/ocserv/cert/certchain.pem
> server-key = /etc/ssl/ocserv/key/server.pem
> default-domain = priscatella.net
> dns = 8.8.8.8
> dns = 8.8.4.4
> cisco-client-compat = true

Since I believed this is a problem inside GnuTLS, I tried run it on
GnuTLS 3.3.8 from Debian repo and self-compiled 3.3.12, still no luck.
On a side note, gnutls-cli-debug failed to recognise my apache-powered
https sites while gnutls-cli is able to.

Any help is appreciated.

regards,
Lam