Recently the openconnect client on my machine stops working with DTLS on. It constantly displays "SSL read error: Success.; reconnecting." which is rather confusing. My machine is a MacBook Pro (Retina, 15-inch, Late 2013) with macOS Sierra 10.12.4 (16E195). `openconnect` is installed by `homebrew` at /usr/local with default options. Both bottle and build-from-source have been tried. The server is run by ocserv 0.11.7 on Debian jessie. Connecting without DTLS or with Cisco Anyconnect iOS client work fine. Connecting via IPv4 or IPv6 show the same error on macOS, and the same success with Cisco Anyconnect. Following is the full log output when connecting to my server until I interrupted it since it was constantly reconnecting. POST https://[2604:180:2:3d0::cad4]/ Attempting to connect to server [2604:180:2:3d0::cad4]:443 Connected to [2604:180:2:3d0::cad4]:443 Using certificate file Codes/utilities/user.pem Using client certificate '166F57A07AAF' SSL negotiation with [2604:180:2:3d0::cad4] Server certificate verify failed: signer not found Certificate from VPN server "[2604:180:2:3d0::cad4]" failed verification. Reason: signer not found To trust this server in future, perhaps add this to your command line: --servercert sha256:b011eb008232ca19ca91aa021c9528622e2d3e31db5f476b9300a5f988fa1cec Enter 'yes' to accept, 'no' to abort; anything else to view: Connected to HTTPS on [2604:180:2:3d0::cad4] Got HTTP response: HTTP/1.1 200 OK Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure Content-Type: text/xml Content-Length: 326 X-Transcend-Version: 1 HTTP body length: (326) XML POST enabled Please select your group. Group: [126B1E4F]:126B1E4F POST https://[2604:180:2:3d0::cad4]/auth SSL negotiation with [2604:180:2:3d0::cad4] Server certificate verify failed: signer not found Connected to HTTPS on [2604:180:2:3d0::cad4] Got HTTP response: HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/xml Content-Length: 189 X-Transcend-Version: 1 Set-Cookie: webvpncontext=Hcchv70NnzKBxB9Z/qX8pQvuHp2gYFbOsqkbZmzEarA=; Secure Set-Cookie: webvpn=<elided>; Secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:94F53E0A4DC32A7FEB1BCC1DA725C8559E974FC6; path=/; Secure HTTP body length: (189) XML POST enabled SSL negotiation with [2604:180:2:3d0::cad4] Server certificate verify failed: signer not found Connected to HTTPS on [2604:180:2:3d0::cad4] Got CONNECT response: HTTP/1.1 200 CONNECTED X-CSTP-Version: 1 X-CSTP-Server-Name: ocserv 0.11.7 X-CSTP-DPD: 90 X-CSTP-Default-Domain: example.com X-CSTP-Address: 10.44.3.212 X-CSTP-Netmask: 255.255.255.0 X-CSTP-DNS: 8.8.8.8 X-CSTP-DNS: 8.8.4.4 X-CSTP-Tunnel-All-DNS: false X-CSTP-Keepalive: 32400 X-CSTP-Idle-Timeout: none X-CSTP-Smartcard-Removal-Disconnect: true X-CSTP-Rekey-Time: 172811 X-CSTP-Rekey-Method: ssl X-CSTP-Session-Timeout: none X-CSTP-Disconnected-Timeout: none X-CSTP-Keep: true X-CSTP-TCP-Keepalive: true X-CSTP-License: accept X-DTLS-DPD: 90 X-DTLS-Port: 443 X-DTLS-Rekey-Time: 172821 X-DTLS-Rekey-Method: ssl X-DTLS-Keepalive: 32400 X-DTLS-App-ID: 275fe196b335e06ddda1cfeb8eb0c9d3aa1af816a9bdae21ac09901110de4902 X-DTLS-CipherSuite: PSK-NEGOTIATE X-CSTP-Base-MTU: 1406 X-CSTP-MTU: 1320 CSTP connected. DPD 90, Keepalive 32400 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) DTLS option X-DTLS-DPD : 90 DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Rekey-Time : 172821 DTLS option X-DTLS-Rekey-Method : ssl DTLS option X-DTLS-Keepalive : 32400 DTLS option X-DTLS-App-ID : 275fe196b335e06ddda1cfeb8eb0c9d3aa1af816a9bdae21ac09901110de4902 DTLS option X-DTLS-CipherSuite : PSK-NEGOTIATE DTLS initialised. DPD 90, Keepalive 32400 Connected as 10.44.3.212, using SSL No work to do; sleeping for 1000 ms... SSL read error: Success.; reconnecting. SSL negotiation with [2604:180:2:3d0::cad4] Server certificate verify failed: signer not found Connected to HTTPS on [2604:180:2:3d0::cad4] Got CONNECT response: HTTP/1.1 200 CONNECTED X-CSTP-Version: 1 X-CSTP-Server-Name: ocserv 0.11.7 X-CSTP-DPD: 90 X-CSTP-Default-Domain: example.com X-CSTP-Address: 10.44.3.212 X-CSTP-Netmask: 255.255.255.0 X-CSTP-DNS: 8.8.8.8 X-CSTP-DNS: 8.8.4.4 X-CSTP-Tunnel-All-DNS: false X-CSTP-Keepalive: 32400 X-CSTP-Idle-Timeout: none X-CSTP-Smartcard-Removal-Disconnect: true X-CSTP-Rekey-Time: 172817 X-CSTP-Rekey-Method: ssl X-CSTP-Session-Timeout: none X-CSTP-Disconnected-Timeout: none X-CSTP-Keep: true X-CSTP-TCP-Keepalive: true X-CSTP-License: accept X-DTLS-DPD: 90 X-DTLS-Port: 443 X-DTLS-Rekey-Time: 172827 X-DTLS-Rekey-Method: ssl X-DTLS-Keepalive: 32400 X-DTLS-App-ID: 7a530f599263464ffe2c2cb2fb53d781d0b364b2fafbfe91857fac54e04955de X-DTLS-CipherSuite: PSK-NEGOTIATE X-CSTP-Base-MTU: 1406 X-CSTP-MTU: 1320 CSTP connected. DPD 90, Keepalive 32400 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) No work to do; sleeping for 1000 ms... SSL read error: Success.; reconnecting. SSL negotiation with [2604:180:2:3d0::cad4] Server certificate verify failed: signer not found Connected to HTTPS on [2604:180:2:3d0::cad4] Got CONNECT response: HTTP/1.1 200 CONNECTED X-CSTP-Version: 1 X-CSTP-Server-Name: ocserv 0.11.7 X-CSTP-DPD: 90 X-CSTP-Default-Domain: example.com X-CSTP-Address: 10.44.3.212 X-CSTP-Netmask: 255.255.255.0 X-CSTP-DNS: 8.8.8.8 X-CSTP-DNS: 8.8.4.4 X-CSTP-Tunnel-All-DNS: false X-CSTP-Keepalive: 32400 X-CSTP-Idle-Timeout: none X-CSTP-Smartcard-Removal-Disconnect: true X-CSTP-Rekey-Time: 172772 X-CSTP-Rekey-Method: ssl X-CSTP-Session-Timeout: none X-CSTP-Disconnected-Timeout: none X-CSTP-Keep: true X-CSTP-TCP-Keepalive: true X-CSTP-License: accept X-DTLS-DPD: 90 X-DTLS-Port: 443 X-DTLS-Rekey-Time: 172782 X-DTLS-Rekey-Method: ssl X-DTLS-Keepalive: 32400 X-DTLS-App-ID: 7e7ff8759adb47c36528875128887651dcef4064dc4b76e15350a1e375422e9f X-DTLS-CipherSuite: PSK-NEGOTIATE X-CSTP-Base-MTU: 1406 X-CSTP-MTU: 1320 CSTP connected. DPD 90, Keepalive 32400 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) No work to do; sleeping for 1000 ms... SSL read error: Success.; reconnecting. SSL negotiation with [2604:180:2:3d0::cad4] Server certificate verify failed: signer not found Connected to HTTPS on [2604:180:2:3d0::cad4] Got CONNECT response: HTTP/1.1 200 CONNECTED X-CSTP-Version: 1 X-CSTP-Server-Name: ocserv 0.11.7 X-CSTP-DPD: 90 X-CSTP-Default-Domain: example.com X-CSTP-Address: 10.44.3.212 X-CSTP-Netmask: 255.255.255.0 X-CSTP-DNS: 8.8.8.8 X-CSTP-DNS: 8.8.4.4 X-CSTP-Tunnel-All-DNS: false X-CSTP-Keepalive: 32400 X-CSTP-Idle-Timeout: none X-CSTP-Smartcard-Removal-Disconnect: true X-CSTP-Rekey-Time: 172827 X-CSTP-Rekey-Method: ssl X-CSTP-Session-Timeout: none X-CSTP-Disconnected-Timeout: none X-CSTP-Keep: true X-CSTP-TCP-Keepalive: true X-CSTP-License: accept X-DTLS-DPD: 90 X-DTLS-Port: 443 X-DTLS-Rekey-Time: 172837 X-DTLS-Rekey-Method: ssl X-DTLS-Keepalive: 32400 X-DTLS-App-ID: 65b357083b9f83fb3e4417c48369be65190c624e218574bb6547750da7433453 X-DTLS-CipherSuite: PSK-NEGOTIATE X-CSTP-Base-MTU: 1406 X-CSTP-MTU: 1320 CSTP connected. DPD 90, Keepalive 32400 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) No work to do; sleeping for 1000 ms... SSL read error: Success.; reconnecting. SSL negotiation with [2604:180:2:3d0::cad4] Server certificate verify failed: signer not found Connected to HTTPS on [2604:180:2:3d0::cad4] Got CONNECT response: HTTP/1.1 200 CONNECTED X-CSTP-Version: 1 X-CSTP-Server-Name: ocserv 0.11.7 X-CSTP-DPD: 90 X-CSTP-Default-Domain: example.com X-CSTP-Address: 10.44.3.212 X-CSTP-Netmask: 255.255.255.0 X-CSTP-DNS: 8.8.8.8 X-CSTP-DNS: 8.8.4.4 X-CSTP-Tunnel-All-DNS: false X-CSTP-Keepalive: 32400 X-CSTP-Idle-Timeout: none X-CSTP-Smartcard-Removal-Disconnect: true X-CSTP-Rekey-Time: 172786 X-CSTP-Rekey-Method: ssl X-CSTP-Session-Timeout: none X-CSTP-Disconnected-Timeout: none X-CSTP-Keep: true X-CSTP-TCP-Keepalive: true X-CSTP-License: accept X-DTLS-DPD: 90 X-DTLS-Port: 443 X-DTLS-Rekey-Time: 172796 X-DTLS-Rekey-Method: ssl X-DTLS-Keepalive: 32400 X-DTLS-App-ID: 1678fca823112807867d2ac11a23eb1549101c9da9b6af4e7e28fe4e16bf00c8 X-DTLS-CipherSuite: PSK-NEGOTIATE X-CSTP-Base-MTU: 1406 X-CSTP-MTU: 1320 CSTP connected. DPD 90, Keepalive 32400 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) No work to do; sleeping for 1000 ms... SSL read error: Success.; reconnecting. SSL negotiation with [2604:180:2:3d0::cad4] Server certificate verify failed: signer not found Connected to HTTPS on [2604:180:2:3d0::cad4] Got CONNECT response: HTTP/1.1 200 CONNECTED X-CSTP-Version: 1 X-CSTP-Server-Name: ocserv 0.11.7 X-CSTP-DPD: 90 X-CSTP-Default-Domain: example.com X-CSTP-Address: 10.44.3.212 X-CSTP-Netmask: 255.255.255.0 X-CSTP-DNS: 8.8.8.8 X-CSTP-DNS: 8.8.4.4 X-CSTP-Tunnel-All-DNS: false X-CSTP-Keepalive: 32400 X-CSTP-Idle-Timeout: none X-CSTP-Smartcard-Removal-Disconnect: true X-CSTP-Rekey-Time: 172775 X-CSTP-Rekey-Method: ssl X-CSTP-Session-Timeout: none X-CSTP-Disconnected-Timeout: none X-CSTP-Keep: true X-CSTP-TCP-Keepalive: true X-CSTP-License: accept X-DTLS-DPD: 90 X-DTLS-Port: 443 X-DTLS-Rekey-Time: 172785 X-DTLS-Rekey-Method: ssl X-DTLS-Keepalive: 32400 X-DTLS-App-ID: 49adf5a1a4ee1aaf031e92bf951811256fe788e81ba63f58716731e6bc25f788 X-DTLS-CipherSuite: PSK-NEGOTIATE X-CSTP-Base-MTU: 1406 X-CSTP-MTU: 1320 CSTP connected. DPD 90, Keepalive 32400 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM) No work to do; sleeping for 1000 ms... SSL read error: Success.; reconnecting.
