I've read through the bug report linked above and have tried building OpenConnect with +SHA256 added with no luck. I may be missing something else that was done to get it working. I do know if I build against gnutls 3.5.18 it does work so it does look like the priority string change going to 3.5.19 is likely the problem as discovered in that bug report and I'm doing something wrong building it, I guess.
$ git status HEAD detached at 5a3f242e $ ./openconnect --version OpenConnect version v8.02-9-g5a3f242e Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp $ grep default_prio gnutls.c const char *default_prio; default_prio = DEFAULT_PRIO ":%COMPAT"; default_prio = "NORMAL:-VERS-SSL3.0:+SHA256:%COMPAT"; default_prio, vpninfo->pfs?":-RSA":"", vpninfo->no_tls13?":-VERS-TLS1.3":""); $ strings /usr/lib/x86_64-linux-gnu/libopenconnect.so.5.5.0 | grep ^NORMAL NORMAL:-VERS-SSL3.0:%COMPAT $ strings .libs/libopenconnect.so.5.5.0 | grep ^NORMAL NORMAL:-VERS-SSL3.0:+SHA256:%COMPAT $ ./openconnect vpn-host.tld POST https://vpn-host.tld/ Connected to nnnnnnnnn:443 SSL negotiation with vpn-host.tld SSL connection failure: A TLS fatal alert has been received. Failed to open HTTPS connection to vpn-host.tld Failed to obtain WebVPN cookie Build the same openconnect against gnutls 3.5.18 and it works: $ export PKG_CONFIG_PATH=/opt/gnutls-3.5.18/lib/pkgconfig/ $ ./configure $ make $ ./openconnect vpn-host.tld POST https://vpn-host.tld/ Connected to nnnnnnnnn:443 SSL negotiation with vpn-host.tld Connected to HTTPS on vpn-host.tld -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822467 Title: OpeonConnect fails with generic TLS Fatal Alert Error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1822467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs