I've read through the bug report linked above and have tried building OpenConnect with +SHA256 added with no luck. I may be missing something else that was done to get it working. I do know if I build against gnutls 3.5.18 it does work so it does look like the priority string change going to 3.5.19 is likely the problem as discovered in that bug report and I'm doing something wrong building it, I guess.
$ git status
HEAD detached at 5a3f242e
$ ./openconnect --version
OpenConnect version v8.02-9-g5a3f242e
Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp
$ ./openconnect vpn-host.tld
POST https://vpn-host.tld/
Connected to nnnnnnnnn:443
SSL negotiation with vpn-host.tld
SSL connection failure: A TLS fatal alert has been received.
Failed to open HTTPS connection to vpn-host.tld
Failed to obtain WebVPN cookie
Build the same openconnect against gnutls 3.5.18 and it works:
$ export PKG_CONFIG_PATH=/opt/gnutls-3.5.18/lib/pkgconfig/
$ ./configure
$ make
$ ./openconnect vpn-host.tld
POST https://vpn-host.tld/
Connected to nnnnnnnnn:443
SSL negotiation with vpn-host.tld
Connected to HTTPS on vpn-host.tld
I've read through the bug report linked above and have tried building OpenConnect with +SHA256 added with no luck. I may be missing something else that was done to get it working. I do know if I build against gnutls 3.5.18 it does work so it does look like the priority string change going to 3.5.19 is likely the problem as discovered in that bug report and I'm doing something wrong building it, I guess.
$ git status
HEAD detached at 5a3f242e
$ ./openconnect --version
OpenConnect version v8.02-9-g5a3f242e
Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp
$ grep default_prio gnutls.c -VERS-SSL3. 0:+SHA256: %COMPAT" ; >pfs?": -RSA":" ", vpninfo- >no_tls13? ":-VERS- TLS1.3" :"");
const char *default_prio;
default_prio = DEFAULT_PRIO ":%COMPAT";
default_prio = "NORMAL:
default_prio, vpninfo-
$ strings /usr/lib/ x86_64- linux-gnu/ libopenconnect. so.5.5. 0 | grep ^NORMAL -VERS-SSL3. 0:%COMPAT
NORMAL:
$ strings .libs/libopenco nnect.so. 5.5.0 | grep ^NORMAL -VERS-SSL3. 0:+SHA256: %COMPAT
NORMAL:
$ ./openconnect vpn-host.tld /vpn-host. tld/
POST https:/
Connected to nnnnnnnnn:443
SSL negotiation with vpn-host.tld
SSL connection failure: A TLS fatal alert has been received.
Failed to open HTTPS connection to vpn-host.tld
Failed to obtain WebVPN cookie
Build the same openconnect against gnutls 3.5.18 and it works:
$ export PKG_CONFIG_ PATH=/opt/ gnutls- 3.5.18/ lib/pkgconfig/ /vpn-host. tld/
$ ./configure
$ make
$ ./openconnect vpn-host.tld
POST https:/
Connected to nnnnnnnnn:443
SSL negotiation with vpn-host.tld
Connected to HTTPS on vpn-host.tld