Hi, the version installed on my system:
> #loki: ~root/ #> openconnect -V OpenConnect version v9.12-125-g0e357726 Using GnuTLS 3.8.5. Features present: TPM, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script (override with --script): /etc/sv/openconnect/vpnc-script I have a configuration that used to work just fine. However, it seems that there was some update/change on the endpoint, which is not yet supported by OpenConnect: > #loki: /etc/sv/openconnect_UzL #> bat run > ───────┬────────────────────────────────────────────────────────── > │ File: run > ───────┼────────────────────────────────────────────────────────── > 1 │ #!/bin/sh > 2 │ [ -r conf ] && . ./conf > 3 │ exec openconnect \ > 4 │ --protocol=pulse -i tunUzL \ > 5 │ -s /etc/sv/openconnect_UzL/script \ > 6 │ -u $USER --passwd-on-stdin $SERVER \ > 7 │ -v -v -v < pass 2>&1 > ───────┴────────────────────────────────────────────────────────── > > #loki /etc/sv/openconnect_UzL #> bat conf > ───────┬────────────────────────────────────────────────────────── > │ File: conf > ───────┼────────────────────────────────────────────────────────── > 1 │ SERVER=sslgate.uni-luebeck.de > 2 │ USER=... > ───────┴────────────────────────────────────────────────────────── > > # loki /etc/sv/openconnect_UzL #> ./run > Attempting to connect to server 141.83.44.44:443 > Connected to 141.83.44.44:443 > SSL negotiation with sslgate.uni-luebeck.de > SSL connection failure: The encryption algorithm is not supported. > Failed to complete authentication The failure happens before authentication is attempted, and can be replicated with a bogus username just as well. I'm not suggesting to "spam" the server I had configured for testing, but I guess whoever who's looking into this could run a small number of tests against it. Opening a connection using openssl-s_client completes the TLS negotiation: > # loki ~dw/ %> openssl s_client sslgate.uni-luebeck.de:443 > Connecting to 141.83.44.44 > depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST > Network, CN=USERTrust RSA Certification Authority > verify return:1 > depth=1 C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4 > verify return:1 > depth=0 C=DE, ST=Schleswig-Holstein, O=Universität zu Lübeck, > CN=sslgate.uni-luebeck.de > verify return:1 > CONNECTED(00000003) > --- > Certificate chain > 0 s:C=DE, ST=Schleswig-Holstein, O=Universität zu Lübeck, > CN=sslgate.uni-luebeck.de > i:C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4 > a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384 > v:NotBefore: Oct 6 00:00:00 2023 GMT; NotAfter: Oct 5 > 23:59:59 2024 GMT > 1 s:C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4 > i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, > CN=USERTrust RSA Certification Authority > a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 > v:NotBefore: Feb 18 00:00:00 2020 GMT; NotAfter: May 1 > 23:59:59 2033 GMT > --- > Server certificate > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > subject=C=DE, ST=Schleswig-Holstein, O=Universität zu Lübeck, > CN=sslgate.uni-luebeck.de > issuer=C=NL, O=GEANT Vereniging, CN=GEANT OV RSA CA 4 > --- > No client certificate CA names sent > --- > SSL handshake has read 3961 bytes and written 776 bytes > Verification: OK > --- > New, TLSv1.2, Cipher is AES256-GCM-SHA384 > Server public key is 3072 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : AES256-GCM-SHA384 > Session-ID: ... > Session-ID-ctx: > Master-Key: ... > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1720001913 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > DONE I hope that this has an easy fix. Cheers, Wolfgang _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
