1276792 – TLS priority string error while connecting to AnyConnect server

Bug 1276792 - TLS priority string error while connecting to AnyConnect server

Summary: TLS priority string error while connecting to AnyConnect server

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openconnect
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	David Woodhouse
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-31 00:11 UTC by Peio Borthelle
Modified:	2015-11-02 17:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-02 17:38:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Peio Borthelle 2015-10-31 00:11:16 UTC

Description of problem:
Openconnect throws a TLS error while connecting to an AnyConnect server: "Failed to set TLS priority string: The request is invalid.".


Version-Release number of selected component (if applicable):
openconnect.x86_64-7.06-1.fc22
gnutls.x86_64-3.3.18-1.fc22


How reproducible:
Connect to some AnyConnect server with openconnect.

Steps to Reproduce:
1. run shell command `openconnect https://<anyconnectserver>/`

alternate (same through GUI):
1. setup a VPN configuration with only the gateway in the gnome NetworkManager
2. start the VPN from the NetworkManager


Actual results:
I get the following on standard output:

POST https://<anyconnectserver>/
Attempting to connect to server <ip>:443
Failed to set TLS priority string: The request is invalid.
Failed to open HTTPS connection to <anyconnectserver>
Failed to obtain WebVPN cookie


Expected results:
A successful connection.


Additional info:
According to some research in the openconnect source and in the GnuTLS reference, this means a syntax error in the priority string passed to the function `gnutls_priority_set_direct`. It may be directly related to this issue: http://git.infradead.org/users/dwmw2/openconnect.git/commit/3f72639c90b8792a290fe9187e03d91316e260c3

Comment 1 David Woodhouse 2015-11-01 10:44:07 UTC

I don't think it should be that commit; that only fixes something that broke immediately before it. Can you show the priority string that's actually being used, please? You might capture it with ltrace, or maybe need to rebuild with an additional debug output.

Comment 2 Peio Borthelle 2015-11-01 13:05:54 UTC

By reproducing the build process of the fedora package i managed to reproduce the error: the priority string is "@SYSTEM" and this comes from the fact that the `configure` script is called with the `--with-default-gnutls-priority="@SYSTEM"` option (http://pkgs.fedoraproject.org/cgit/openconnect.git/tree/openconnect.spec?h=f22, `%configure` section). Removing this option appears to fix the bug.

According to the GnuTLS reference, "@SYSTEM" it should be expanded at compile time, from a system configuration file. I noted that there is no such file in my system and even by adding one at the default location with some valid value (`SYSTEM=NORMAL:+ARCFOUR-128`), the priority string remains same.

Comment 3 Nikos Mavrogiannopoulos 2015-11-02 09:32:13 UTC

Is that a stock fedora 22 system or modified in some way? In F22 you should have the crypto-policies package which should have generated the required files. If not try running update-crypto-policies.

Comment 4 Peio Borthelle 2015-11-02 17:38:06 UTC

Indeed, I am running chapeau-linux 22 (http://chapeaulinux.org/), a fedora spin-off. The crypto-policies package was installed, but running `update-crypto-policies` fixed the bug, everything is fine now.

I am going to report this to the chapeau maintainer.

Note You need to log in before you can comment on or make changes to this bug.