Hi, On 04/08/2016 11:21 PM, Nikos Mavrogiannopoulos wrote: > On Fri, 2016-04-08 at 10:48 -0700, Chad Bishop wrote: >> Hello, >> >> We recently updated our vpn server to "use a more secure version of >> TLS"...at least that's what I'm told. In doing so, I'm now unable to >> make a connection using openconnect on Fedora 20. >> >> The command I'm using is: >> >> sudo openconnect [IP] --no-cert-check >> >> The only output I get is: >> >> POST [IP] >> Attempting to connec to server [IP] >> SSL negotiation with [IP] >> SSL connection failure: Error in the pull function. >> Failed to open HTTPS connection to [IP] >> Failed to obtain WebVPN cookie Same problem here when using GnuTLS 3.5.13, but there is no problem with GnuTLS 3.3.26. > > The server is closing the connection for some reason. Have you tried > connecting to it using openssl s_client and gnutls-cli? What is the > output? Can you share its IP? The difference in the output of gnutls-cli-debug [IP] is: $ diff -U0 gnutls-3.* --- gnutls-3.3.26-cli-debug.out +++ gnutls-3.5.13-cli-debug.out @@ -1 +1 @@ -GnuTLS debug client 3.3.26 +GnuTLS debug client 3.5.13 @@ -11,0 +12,2 @@ + fallback from TLS 1.6 to... TLS1.2 + for inappropriate fallback (RFC7507) support... yes @@ -14,0 +17,2 @@ + for encrypt-then-MAC (RFC7366) support... no + for ext master secret (RFC7627) support... no @@ -19 +23 @@ - whether small records (512 bytes) are accepted... yes +whether small records (512 bytes) are tolerated on handshake... yes @@ -26,0 +31,4 @@ + for curve SECP256r1 (RFC4492)... no + for curve SECP384r1 (RFC4492)... no + for curve SECP521r1 (RFC4492)... no + for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no @@ -27,0 +36,2 @@ + for AES-128-CCM cipher (RFC6655) support... no + for AES-128-CCM-8 cipher (RFC6655) support... no @@ -32,0 +43 @@ + for CHACHA20-POLY1305 cipher (RFC7905) support... no Anything else I should compare to identify the problem? Thanks! /haubi/
