Ubuntu
openconnect package

CSD scripts do not work on jammy

Bug #1968467 reported by Jason Gunthorpe
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
openconnect (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The CSD scripts all use curl to communicate to the ASA server and in Jammy curl has been linked with openssl 3.

openssl 3 switched off SSL_OP_LEGACY_SERVER_CONNECT by default, and CISCO never implemented RFC5746 in ASA so the curl commands in the CSD script just fail to connect (and the scripts blindly ignore these errors making it hard to debug)

When run manually curl reports back:

* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:0A000152:SSL routines::unsafe legacy renegotiation disabled
* Closing connection 0
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled

My feeling is that curl should set the SSL option when -k is used. openconnect itself sets this option already, it was fixed in commit c8dcf10

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: openconnect 8.20-1
ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30
Uname: Linux 5.15.0-25-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu80
Architecture: amd64
CasperMD5CheckResult: pass
CasperVersion: 1.468
CurrentDesktop: ubuntu:GNOME
Date: Sun Apr 10 12:19:57 2022
LiveMediaBuild: Ubuntu 22.04 LTS "Jammy Jellyfish" - Daily amd64 (20220409)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: openconnect
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Jason Gunthorpe (jgunthorpe) wrote :
Revision history for this message
Dan Lenski (lenski) wrote :

I’m one of the upstream OpenConnect developers. Thanks for bringing this to our attention. This is one of a seemingly-endless stream of issues (e.g. https://gitlab.com/openconnect/openconnect/-/issues/211) that OpenConnect users have encountered as a result of distros’ recent mania for enforcing “minimum TLS security levels” on a system-wide level.

It’s a frustrating situation for OpenConnect because users often have to connect to ancient unpatched VPNs to do their work, can’t do anything about the server configuration, and have no real expectation of “security” anyway.

> My feeling is that curl should set the SSL option when -k is used. openconnect itself sets this option already, it was fixed in commit c8dcf10

If you replace the cURL invocation in the CSD/Trojan script with…

```
OPENSSL_CONF=/dev/null curl <usual options>
```

… does this make it work? (For some hints about how/why it should work, start with https://gitlab.com/openconnect/openconnect/-/commit/7e862f2f0352409357fa7a4762481fde49909eb8#406e031b8824ea26ae0bf4d7579a1d89e3fb5906)

Revision history for this message
Jason Gunthorpe (jgunthorpe) wrote : Re: [Bug 1968467] Re: CSD scripts do not work on jammy

On Mon, Apr 11, 2022 at 6:00 PM Dan Lenski <email address hidden>
wrote:

> > My feeling is that curl should set the SSL option when -k is used.
> openconnect itself sets this option already, it was fixed in commit
> c8dcf10
>
> If you replace the cURL invocation in the CSD/Trojan script with…
>
> ```
> OPENSSL_CONF=/dev/null curl <usual options>
> ```
>
> … does this make it work? (For some hints about how/why it should work,
>

No, it didn't change, I tested with:

# OPENSSL_CONF=/dev/null curl -k -v https://x.x.x.x/
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:0A000152:SSL routines::unsafe legacy renegotiation disabled
* Closing connection 0
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Inside ubuntu:22.04 as a docker container just to test curl.

Thanks,
Jason

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openconnect (Ubuntu):
status: New → Confirmed
Revision history for this message
Dan Lenski (lenski) wrote :

@jgunthorpe, what if you do something like this, where you create an OPENSSL_CONF that explicitly (re)enables unsafe legacy negotiation? Instead of using /dev/null.

```
$ cat > /tmp/openssl.conf <<EOF
_openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation_
EOF

$ OPENSSL_CONF=/tmp/openssl.conf curl <usual options>
```

That comes from https://github.com/dlenski/gp-saml-gui/issues/42

Revision history for this message
Jason Gunthorpe (jgunthorpe) wrote :

That does, work, note that the leading and trailing _ are garbage, file
should be:

root@c5c1367d7a8e:/# cat /tmp/openssl.conf
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
root@c5c1367d7a8e:/# OPENSSL_CONF=/tmp/openssl.conf curl -k -v
https://xxx/CACHE/sdesktop/hostscan/linux_x64/manifest
[..]
< HTTP/1.1 200 OK
< Content-Type:
< Content-Length: 813
< Cache-Control: max-age=6000

Thanks,
Jason

On Fri, Apr 22, 2022 at 12:10 AM Dan Lenski <email address hidden>
wrote:

> @jgunthorpe, what if you do something like this, where you create an
> OPENSSL_CONF that explicitly (re)enables unsafe legacy negotiation?
> Instead of using /dev/null.
>
> ```
> $ cat > /tmp/openssl.conf <<EOF
> _openssl_conf = openssl_init
> [openssl_init]
> ssl_conf = ssl_sect
> [ssl_sect]
> system_default = system_default_sect
> [system_default_sect]
> Options = UnsafeLegacyRenegotiation_
> EOF
>
> $ OPENSSL_CONF=/tmp/openssl.conf curl <usual options>
> ```
>
> That comes from https://github.com/dlenski/gp-saml-gui/issues/42
>
> ** Bug watch added: github.com/dlenski/gp-saml-gui/issues #42
> https://github.com/dlenski/gp-saml-gui/issues/42
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1968467
>
> Title:
> CSD scripts do not work on jammy
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/+subscriptions
>
>

Revision history for this message
Dan Lenski (lenski) wrote :

Thanks for testing that.

We may need to apply something like this to OpenConnect, to get it to try harder to disable the OpenSSL minimum security level. Ugh.

https://gitlab.com/openconnect/openconnect/-/commit/4e07eecaf04a48c3253a5dfd69d817673194e154#note_921595179

Revision history for this message
Ian Samuel (mrzesty) wrote :

Thanks, this w/a also worked for me.

$ cat openssl.conf
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation

~$ export OPENSSL_CONF=openssl.conf

Revision history for this message
Benjamin Herrenschmidt (benh-kernel) wrote :

I confirm the workaround works for me too. I've modified our CSD script to create a temp openssl.conf and set OPENSSL_CONF before curl invocations and I can connect to our VPN

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.