Bug 1647253

Summary: openconnect fails with Failed to set TLS priority string ("@OPENCONNECT,@SYSTEM:%COMPAT"): The request is invalid.
Product: [Fedora] Fedora Reporter: Stewart Smith <stewart>
Component: openconnectAssignee: David Woodhouse <dwmw2>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 29CC: dwmw2, nmavrogi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openconnect-8.01-1.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-07 07:44:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stewart Smith 2018-11-07 00:31:06 UTC 
Description of problem:
When trying to connect to an OpenConnect VPN (such as the IBM VPN) either via the GNOME GUI or command line, all attempts fail with "Failed to set TLS priority string ("@OPENCONNECT,@SYSTEM:%COMPAT"): The request is invalid."

Version-Release number of selected component (if applicable):
Fedora 29 (upgraded from Fedora 28)
openconnect v7.08
gnutls-3.6.4-4.fc29.x86_64

How reproducible:
100%


Steps to Reproduce:
1. Attempt to connect to any openconnect VPN

Actual results:
Failed to set TLS priority string ("@OPENCONNECT,@SYSTEM:%COMPAT"): The request is invalid.

Expected results:
Connected to VPN

Additional info:
I managed to fix it by duplicating the SYSTEM line and adding an OPENCONNECT one like so:

[stewart@birb ~]$ cat /etc/crypto-policies/back-ends/gnutls.config
SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:+COMP-NULL:%PROFILE_LOW
OPENCONNECT=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:+COMP-NULL:%PROFILE_LOW

But this is probably a terrible hacked dialed up to 11.
Comment 1 Fedora Update System 2019-01-07 07:43:05 UTC 
openconnect-8.01-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-267b29539a
Comment 2 Fedora Update System 2019-01-08 02:04:56 UTC 
openconnect-8.01-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-267b29539a
Comment 3 Fedora Update System 2019-01-11 04:34:03 UTC 
openconnect-8.01-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.