TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers that blacklist TLS 1.0. Where should this get fixed? --- I'm running a rather vintage Ubuntu 14.04 which ships a rather unmodified openconnect 5.02 package. It uses the following as a priority string for the TLS session: "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION This _appears_ to be forcing things down to TLS 1.0 and not using TLS 1.1/1.2 despite libgnutls26 supporting the later TLS protocols. I confirmed the attempt to use TLS 1.0 in a packet capture. gnutls-cli, using the same gnutls library was confirmed in a packet capture to be using TLS 1.2. Intel has stopped supporting TLS 1.0 on its VPN endpoints, leaving me unable to connect. The failure message that comes back out of the console from openconnect is something along these lines: > SSL connection failure: A TLS packet with unexpected length was received. The packet capture shows a TCP RST packet coming back from the server to trigger these messages. So, yes, this is a vintage distribution, but it's _supposed_ to be supported, and it _can_ connect to these VPN servers if the "-VERS-TLS-ALL" is removed from the openconnect priority string. Further, this code still seems to be around in openconnect, at least when compiled against old versions of gnutls: https://github.com/openconnect/openconnect/blob/master/gnutls.c#L2202 Is this something Ubuntu can fix in their openconnect? Or is it something we should also be fixing in the upstream openconnect?
