Red Hat Bugzilla – Bug 1276792
TLS priority string error while connecting to AnyConnect server
Last modified: 2015-11-02 12:38:06 EST
Description of problem:
Openconnect throws a TLS error while connecting to an AnyConnect server: "Failed to set TLS priority string: The request is invalid.".
Version-Release number of selected component (if applicable):
Connect to some AnyConnect server with openconnect.
Steps to Reproduce:
1. run shell command `openconnect https://<anyconnectserver>/`
alternate (same through GUI):
1. setup a VPN configuration with only the gateway in the gnome NetworkManager
2. start the VPN from the NetworkManager
I get the following on standard output:
Attempting to connect to server <ip>:443
Failed to set TLS priority string: The request is invalid.
Failed to open HTTPS connection to <anyconnectserver>
Failed to obtain WebVPN cookie
A successful connection.
According to some research in the openconnect source and in the GnuTLS reference, this means a syntax error in the priority string passed to the function `gnutls_priority_set_direct`. It may be directly related to this issue: http://git.infradead.org/users/dwmw2/openconnect.git/commit/3f72639c90b8792a290fe9187e03d91316e260c3
I don't think it should be that commit; that only fixes something that broke immediately before it. Can you show the priority string that's actually being used, please? You might capture it with ltrace, or maybe need to rebuild with an additional debug output.
By reproducing the build process of the fedora package i managed to reproduce the error: the priority string is "@SYSTEM" and this comes from the fact that the `configure` script is called with the `--with-default-gnutls-priority="@SYSTEM"` option (http://pkgs.fedoraproject.org/cgit/openconnect.git/tree/openconnect.spec?h=f22, `%configure` section). Removing this option appears to fix the bug.
According to the GnuTLS reference, "@SYSTEM" it should be expanded at compile time, from a system configuration file. I noted that there is no such file in my system and even by adding one at the default location with some valid value (`SYSTEM=NORMAL:+ARCFOUR-128`), the priority string remains same.
Is that a stock fedora 22 system or modified in some way? In F22 you should have the crypto-policies package which should have generated the required files. If not try running update-crypto-policies.
Indeed, I am running chapeau-linux 22 (http://chapeaulinux.org/), a fedora spin-off. The crypto-policies package was installed, but running `update-crypto-policies` fixed the bug, everything is fine now.
I am going to report this to the chapeau maintainer.