Ubuntu
openconnect package

[regression] no connection with openconnect

Bug #898830 reported by pittipatti
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openconnect (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned

Bug Description

Since Oneiric it is no longer possible to connect to various servers

In Comment 4 in Bug 881720 a developer explains the details
(https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/881720/comments/4)

I'll paste them here again as this issue was not addressed in the other bug:

-------
dwmw2 (dwmw2) wrote on 2011-10-29: #4

pittipatti is correct. I'll elucidate...

Long ago (commit 3bee59c in v2.26) we switched from using TLSv1 to SSLv3, because some servers (or their firewalls) seem to reject any connections with Hello extensions.

In v3.11 (commit 4ad3d6c) we changed that again, because some servers also reject SSLv3 connections. Now we use TLSv1 but explicitly disable extensions. This should work everywhere.

We have *also* made openconnect export this code as a proper shared library, so when things like that are updated it will automatically take effect in the auth-dialog too. Older versions (including v3.02) only exported a *static* library because we weren't quite ready to call the API "stable" at that point.

What you need to do is update the openconnect package and make sure you're installing the shared library, and then make sure your network-manager-openconnect (and kde4-plasma-networkmanagement) packages are using the *shared* library for their authentication dialogs.

------

So please update to a version >= 3.11 to make this package usable again.

Thanks

Revision history for this message
dwmw2 (dwmw2) wrote :

Make it at least 3.13. There are important DTLS compatibility fixes in 3.12, and in 3.13 I made it build on Debian again... which is probably going to be helpful for you. 3.14 and 3.15 are just translations and Solaris/OSX/*BSD compatibility, so 3.13 would be OK... but why not just update to 3.15?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openconnect (Ubuntu):
status: New → Confirmed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Well, we can certainly (and we will) update openconnect in Precise, but I'm not convinced "some servers reject SSLv3" is sufficient reason to provide an updated version of openconnect in Oneiric as an SRU -- presumably, it does work on some servers, no ?

... And if not, these servers can be configured in what versions of SSL they accept? And if it's firewall issues, then those can also be worked around (via fixups, inspects, etc.)

This does not preclude making it available as a backport though, once 3.15 or so reaches Debian and is included in Precise.

Revision history for this message
Todd Kennedy (toddkenn) wrote :

Well openconnect > 3.02 is required for plasma-widget-networkmanagement to include it in the build cycle. So in Kubuntu Oneric openconnect VPN via the desktop is broken. It's not even listed as a valid VPN to use because the version of openconnect is to low in universe. I think that's a good reason.

Revision history for this message
Mike Miller (mtmiller) wrote :

I think this bug is basically fixed as well as it's going to. 12.04 was released with 3.15, and oneiric is long gone out of support now, I don't see any action needed or any reason for keeping this open.

Changed in openconnect (Ubuntu):
status: Confirmed → Fix Released
Changed in openconnect (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.