Ubuntu

FFe vpnc with Hybrid-Auth enabled?

Reported by Christoph Langner on 2008-02-26
138
This bug affects 20 people
Affects Status Importance Assigned to Milestone
VPNC
Fix Released
Unknown
vpnc (Ubuntu)
Undecided
Unassigned
Nominated for Lucid by Lee G.

Bug Description

UPDATE: in Debian unstable is a working package without the license issue. so we just need a sync to fix this bug.

Binary package hint: vpnc

In order to use vpnc with cisco access concentrators which use Hybrid-Auth, you've got to get the sources from http://www.unix-ag.uni-kl.de/~massar/vpnc/, change these lines

...
OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
OPENSSLLIBS = -lcrypto
...

inside the Makefile and recompile vpnc. I don't know if it is legal, but would it be possible to create a package "vpnc-hybridauth" inside multiverse which has this function enabled, so you don't have to compile vpnc by yourself?

Lee G. (lee-in-berlin) wrote :

As far as I can say, the previous versions of vpnc where compiled with this option activated ... I would just do it, and see if anybody complains. The way it is at the moment is a bit annoying, as most people probably use it in hybrid-auth mode.

Kind regards,
Lee Garrett

Steffen Röcker (sroecker) wrote :

That would be a solution until vpnc gets patched.
Someone on vpnc-devel wanted to rewrite it using NSS.

For all the people who compiled vpnc with hybrid auth themself I patched network-manager-vpnc to enable hybrid auth configuration.
See my ppa:
https://launchpad.net/~sroecker/+archive

Changed in vpnc:
status: New → Confirmed
accleo (accleo) wrote :

Hi Lee,

Have you compiled a .deb with vpnc hybrid authentication just like Steffen Röcker did with nm-vpnc? Because I would be interested to use it...
Thanks!

strawman (yangseungdo) wrote :

Hi Lee,

I'm also interested in your pre-compiled .deb with vpnc hybrid authentication.

Thanks,

strawman (yangseungdo) wrote :

Make sure you have the following packages installed before you compile:

debhelper (>= 4.0.0)
dpatch
libgcrypt11-dev

and

libssl-dev

Thanks,

Lee G. (lee-in-berlin) wrote :

*bump*

Is there any definite yes or no regarding this issue? Would be nice to solve it soon as it affects quite a lot of people in university environments, and the solution is basically there.

Christoph Langner (chrissss) wrote :

Jaunty is out and we don't have an answer for this. Is it possible to deliver vpnc with HybridAuth out of the box?

Michael Tänzer (neoatnhng) wrote :

The OpenSSL license and the GPL are incompatible (because of the advertising clause also known from the old BSD license). If you distribute software which contains GPLed code, you have to GPL this software too. As the OpenSSL license is incompatible we can't do this because we would not respect the license of the OpenSSL library and therefore would loose our right to distribute it. If we don't apply the GPL to the vpnc package we loose our right to distribute the GPLed part. So either way we can't do this.
There are two solutions which both require a fix from the vpnc project:
1) The copyright holders (i.e. each person who has contributed to vpnc) allow for a exception clause, stating that their software may be linked to the OpenSSL library
2) vpnc is rewritten to use another SSL library (e.g. GnuTLS)

Steffen Röcker (sroecker) wrote :

Dan Williams patched vpnc so that it can either use OpenSSL or GnuTLS,
he posted the patch to vpnc-devel:
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-May/003073.html

I already tried it but it didn't work for me.

Christophe (christophe-wk3) wrote :

I'd love to see this fixed.

Laurent (laurent-goujon) wrote :

I posted another patch (based on Dan Williams) on vpnc-devel which worked for me at least.

http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003129.html

Laurent (laurent-goujon) wrote :

New version of my patch: PKCS#1 padding check is more strict

Steffen Röcker (sroecker) wrote :

Thanks Laurent.
I cleaned up your patch so that I can apply it to vpnc-0.5.3-1 and removed test-crypto.

Steffen Röcker (sroecker) wrote :

I uploaded vpnc with gnutls support to my ppa so people can test it.

Had to disable certificate issuer verifying to accept my cert.

Jörn Horstmann (jhorstmann) wrote :

Thank you for your work on this bug. I just tested the patch on ubuntu jaunty with our corporate vpn using hybrid authentication and it seems to work fine. It would be great if this worked out of the box in karmic.

Matthias Blaicher (blaicher) wrote :

I'm using your PPA on Karmic, and it works great with my university (Karlsruhe) network.

Laurent (laurent-goujon) wrote :

Patch merged upstream. Is it possible to update to latest SVN revision before Karmic is released?

tags: added: patch
Hanno Böck (hanno-hboeck) wrote :

Stepped over this one recently, there's a fine working gnutls-version of vpnc available in upstreams svn, though no release. I'd suggest Ubuntu makes a package of vpnc from the svn snapshot (Gentoo does so), development seems quite inactive so probably no release soon.

Lee G. (lee-in-berlin) wrote :

I rebuilt the vpnc package from Debian sid, and it works fine. Would be great if it could be uploaded for Lucid.

Dan (daniel-scharon) wrote :

I can confirm that 0.5.3r449-2 packages from Debian sid are working fine. Corporate and university users would benefit tremendously from vpnc supporting hybrid auth out of the box, especially as Lucid being a LTS release. So please, consider uploading the new version.

accleo (accleo) wrote :

I totally agree!

bojo42 (bojo42) on 2010-03-23
description: updated
summary: - vpnc with Hybrid-Auth enabled?
+ FFe vpnc with Hybrid-Auth enabled?
Dan (daniel-scharon) wrote :

is there no chance left getting 0.5.3r449-2 into Lucid?
Shifting the buttons to the left (Bug #532633), introducing hereby a huge experimental UI change, just made it into Lucid weeks before the final release of Lucid.
So please, be consistent with the new let's-get-experimental-changes-weeks-before-LTS-release-policy that has been introduced with Bug #532633 and sync the "experimental" version of vpnc from debian sid.

But seriously: version 0.5.3r449-2 of vpnc is well tested and far being from "unstable".

bojo42 (bojo42) wrote :

vpnc 0.5.3r449-2 is already in squeeze (testing) so lucid (LTS) will ship an older version that's out-of-sync with Debian 6.0 and misses a key feature that larger institutions really need. so please, please consider a FFe.

Changed in vpnc:
status: Unknown → Fix Released
Sebastian Bator (eremit7) wrote :

May be there is a chance to get this into lucid, but just asking here won't bring this to the attention of the release team. And on the 15. April is final freeze so it gets more complicated every day.

If you sure the change fulfils the requirements please follow the procedure for freeze exception: https://wiki.ubuntu.com/FreezeExceptionProcess

Steve Langasek (vorlon) wrote :

This looks appropriate for an FFe, but someone needs to provide the required information for an FFe per the link in the previous comment.

Changed in vpnc (Ubuntu):
status: Confirmed → Incomplete
Dan (daniel-scharon) wrote :

Thanks for the hint, FreezeException Bug has been filed: Bug #561467

Steve Langasek (vorlon) wrote :

This bug is *already* marked as a freeze exception bug, please provide the information here.

Dan (daniel-scharon) wrote :

OK, my fault.
-----------------------------------------------------------------------------
the new version of vpnc in debian testing fixes this bug.

see also the debian bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440318

version currently in lucid: 0.5.3-1
current version upstream (and now in debian testing): 0.5.3r449 (latest svn snapshot)

the upstream changelog contains _no_ differences as there has been just mostly bugfixes since the last release. Therefore the attached changelog.diff contains the diff of debian/changelog.

for build logs, please refer to the following files:
i386: http://launchpadlibrarian.net/41768783/buildlog_ubuntu-lucid-i386.vpnc_0.5.3r449-2~ppa1~lucid1_FULLYBUILT.txt.gz
amd64: http://launchpadlibrarian.net/41795989/buildlog_ubuntu-lucid-amd64.vpnc_0.5.3r449-2~ppa1~lucid1_FULLYBUILT.txt.gz

thanks to bojo42 for providing these!
(see also: https://launchpad.net/~bojo42/+archive/testing/+sourcepub/1005722/+listing-archive-extra )

Steve Langasek (vorlon) wrote :

You say the upstream changelog contains "mostly" bugfixes. Are there any other non-bugfix changes, aside from the GnuTLS port?

Laurent (laurent-goujon) wrote :

According to svn changelog, the only major change is the GnuTLS port. Other changes are cosmetics (typos/whitespaces), bug fixes and compilations fixes

See svn log -r449:372 http://svn.unix-ag.uni-kl.de/vpnc/trunk

Steve Langasek (vorlon) wrote :

FFe granted.

Changed in vpnc (Ubuntu):
status: Incomplete → Confirmed
Steve Langasek (vorlon) wrote :

[Updating] vpnc (0.5.3-1 [Ubuntu] < 0.5.3r449-2 [Debian])
 * Trying to add vpnc...
2010-04-13 09:29:47 INFO - <vpnc_0.5.3r449-2.dsc: downloading from http://ftp.debian.org/debian/>
2010-04-13 09:29:47 INFO - <vpnc_0.5.3r449.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
2010-04-13 09:29:47 INFO - <vpnc_0.5.3r449-2.diff.gz: downloading from http://ftp.debian.org/debian/>
I: vpnc [universe] -> vpnc_0.5.3-1 [universe].

Changed in vpnc (Ubuntu):
status: Confirmed → Fix Released
bojo42 (bojo42) wrote :

really great this got into lucid, thanks. now it would make sense to consider a FFe to fix Bug #300628

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Related questions

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.