Ubuntu
openconnect package

cannot connect to some gateways

Bug #1225276 reported by Eric Gillingham
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openconnect (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Encountering the same bug referenced in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708928 .

opnconnect -v vpn...
...snip...
Connected to HTTPS on vpn....
Got HTTP response: HTTP/1.1 302 Found
Location: https://vpn..../dana-na/auth/url_2/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_2; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/; path=/; secure
Connection: close
HTTP body http 1.0 (-1)
Failed to read from SSL socket: A TLS packet with unexpected length was received.
Failed to obtain WebVPN cookie

Installed openconnect versions, this is on saucy:
ii libopenconnect2:amd64 5.01-1 amd64
ii openconnect 5.01-1 amd64

See original description
Eric Gillingham (gillingham)
description: updated
description: updated
Revision history for this message
Mike Miller (mtmiller) wrote :

Hi, thanks for your bug report. You say you are seeing the same bug as the linked bug report, but that bug was fixed with version 5.01 of openconnect.

Can you confirm that you are running version 5.01 of openconnect when this failure occurs (openconnect --version)?

Does the connection succeed when the --no-xmlpost option is given to openconnect?

Changed in openconnect (Ubuntu):
status: New → Incomplete
Revision history for this message
Eric Gillingham (gillingham) wrote :

As mentioned in the bug report, I am running 5.01:

"Installed openconnect versions, this is on saucy:
ii libopenconnect2:amd64 5.01-1 amd64
ii openconnect 5.01-1 amd64"

Revision history for this message
Eric Gillingham (gillingham) wrote :

openconnect --version
OpenConnect version v5.01
Using GnuTLS. Features present: PKCS#11, TOTP software token, DTLS (using OpenSSL)

Revision history for this message
Mike Miller (mtmiller) wrote :

Hi, still waiting for a response to my last question in comment #1:

Does the connection succeed when the --no-xmlpost option is given to openconnect?

Revision history for this message
Eric Gillingham (gillingham) wrote :

Yes:
openconnect --no-xmlpost vpn...
GET https://vpn.jpl.nasa.gov/
Attempting to connect to server ...:443
SSL negotiation with vpn...
Server certificate verify failed: signer not found

Certificate from VPN server "vpn...." failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn....
Got HTTP response: HTTP/1.1 302 Found
Failed to read from SSL socket: A TLS packet with unexpected length was received.
Failed to obtain WebVPN cookie

Changed in openconnect (Ubuntu):
status: Incomplete → New
Revision history for this message
Mike Miller (mtmiller) wrote :

This behavior sounds exactly like that reported in bug #1229195. Can you update to openconnect 5.02-1 that was just uploaded yesterday and see if this version fixes the problem for you without the need for the --no-xmlpost option?

Mike Miller (mtmiller)
Changed in openconnect (Ubuntu):
status: New → Incomplete
Revision history for this message
Eric Gillingham (gillingham) wrote :

That version isn't in the saucy repository, I manually downloaded and installed https://launchpad.net/ubuntu/trusty/amd64/openconnect/5.02-1 and https://launchpad.net/ubuntu/trusty/amd64/libopenconnect2/5.02-1

openconnect vpn...
POST https://vpn...
Attempting to connect to server ...:443
SSL negotiation with vpn...
Server certificate verify failed: signer not found

Certificate from VPN server "vpn...." failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn...
Got HTTP response: HTTP/1.1 302 Found
Failed to read from SSL socket: A TLS packet with unexpected length was received.
Failed to obtain WebVPN cookie

With --no-xmlpost option:
openconnect --no-xmlpost vpn...
GET https://vpn...
Attempting to connect to server ...:443
SSL negotiation with vpn.,,
Server certificate verify failed: signer not found

Certificate from VPN server "vpn..." failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn...
Got HTTP response: HTTP/1.1 302 Found
Failed to read from SSL socket: A TLS packet with unexpected length was received.
Failed to obtain WebVPN cookie

So both still fail with this version.

Changed in openconnect (Ubuntu):
status: Incomplete → New
Revision history for this message
dwmw2 (dwmw2) wrote : Re: [Bug 1225276] Re: cannot connect to some gateways

On Fri, 2014-02-14 at 04:42 +0000, Eric Gillingham wrote:
> Failed to read from SSL socket: A TLS packet with unexpected length
> was received.

I see a different error on that server:

Failed to read from SSL socket: The TLS connection was non-properly terminated.

For me it's "fixed" by
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/c7077b96b

Now I have a different issue with that server — neither XML POST nor the
old method actually give me a login form:

XML response has no "auth" node
Failed to obtain WebVPN cookie

It just seems to be giving web pages back. And in fact the AnyConnect
client seems to have the same issue. (Although I tested with an ancient
2.2.0136 since my newer version started segfaulting and dying.)

Kevin, any ideas?

--
dwmw2

Revision history for this message
dwmw2 (dwmw2) wrote :

On Fri, 2014-02-14 at 12:54 +0000, dwmw2 wrote:
> It just seems to be giving web pages back. And in fact the AnyConnect
> client seems to have the same issue. (Although I tested with an
> ancient 2.2.0136 since my newer version started segfaulting and
> dying.)

Turns out 3.1.03103 stops segfaulting if I go back to the 20th century
and remove all IPv6 addresses from my eth0 device. Reminding me of the
stunning level of incompetence which led me to write OpenConnect in the
first place... :)

It also fails with this server, just like 2.2.0136.

--
dwmw2

Revision history for this message
dwmw2 (dwmw2) wrote :

According to https://dir.jpl.nasa.gov/tfa/TFA_RAS_instructions.pdf this
is a Juniper VPN, not Cisco AnyConnect. I'm not going to lose sleep over
the fact that we can't connect to it!

Supporting the Juniper VPN might not actually be that hard, if it's at
all similar to AnyConnect. And it's likely to be, since there isn't much
innovation in how you do an SSL VPN.

But it is left as an exercise for the reader.

--
dwmw2

Revision history for this message
Mike Miller (mtmiller) wrote :

Good catch, thanks for helping look into this failure. OpenConnect does not connect to all VPNs, only Cisco AnyConnect VPNs. The specific VPN you are trying to use is not an AnyConnect VPN, so OpenConnect is not expected to work with it. Closing this bug report as invalid.

Changed in openconnect (Ubuntu):
status: New → Invalid
Revision history for this message
dwmw2 (dwmw2) wrote :

We are now working on adding Juniper support to OpenConnect. Eric, or indeed anyone else, if you're interested in testing please send an email either to the openconnect-devel mailing list or to me directly.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.