Bug 1276792 - TLS priority string error while connecting to AnyConnect server
TLS priority string error while connecting to AnyConnect server
Product: Fedora
Classification: Fedora
Component: openconnect (Show other bugs)
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: David Woodhouse
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-10-30 20:11 EDT by Peio Borthelle
Modified: 2015-11-02 12:38 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-02 12:38:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peio Borthelle 2015-10-30 20:11:16 EDT
Description of problem:
Openconnect throws a TLS error while connecting to an AnyConnect server: "Failed to set TLS priority string: The request is invalid.".

Version-Release number of selected component (if applicable):

How reproducible:
Connect to some AnyConnect server with openconnect.

Steps to Reproduce:
1. run shell command `openconnect https://<anyconnectserver>/`

alternate (same through GUI):
1. setup a VPN configuration with only the gateway in the gnome NetworkManager
2. start the VPN from the NetworkManager

Actual results:
I get the following on standard output:

POST https://<anyconnectserver>/
Attempting to connect to server <ip>:443
Failed to set TLS priority string: The request is invalid.
Failed to open HTTPS connection to <anyconnectserver>
Failed to obtain WebVPN cookie

Expected results:
A successful connection.

Additional info:
According to some research in the openconnect source and in the GnuTLS reference, this means a syntax error in the priority string passed to the function `gnutls_priority_set_direct`. It may be directly related to this issue: http://git.infradead.org/users/dwmw2/openconnect.git/commit/3f72639c90b8792a290fe9187e03d91316e260c3
Comment 1 David Woodhouse 2015-11-01 05:44:07 EST
I don't think it should be that commit; that only fixes something that broke immediately before it. Can you show the priority string that's actually being used, please? You might capture it with ltrace, or maybe need to rebuild with an additional debug output.
Comment 2 Peio Borthelle 2015-11-01 08:05:54 EST
By reproducing the build process of the fedora package i managed to reproduce the error: the priority string is "@SYSTEM" and this comes from the fact that the `configure` script is called with the `--with-default-gnutls-priority="@SYSTEM"` option (http://pkgs.fedoraproject.org/cgit/openconnect.git/tree/openconnect.spec?h=f22, `%configure` section). Removing this option appears to fix the bug.

According to the GnuTLS reference, "@SYSTEM" it should be expanded at compile time, from a system configuration file. I noted that there is no such file in my system and even by adding one at the default location with some valid value (`SYSTEM=NORMAL:+ARCFOUR-128`), the priority string remains same.
Comment 3 Nikos Mavrogiannopoulos 2015-11-02 04:32:13 EST
Is that a stock fedora 22 system or modified in some way? In F22 you should have the crypto-policies package which should have generated the required files. If not try running update-crypto-policies.
Comment 4 Peio Borthelle 2015-11-02 12:38:06 EST
Indeed, I am running chapeau-linux 22 (http://chapeaulinux.org/), a fedora spin-off. The crypto-policies package was installed, but running `update-crypto-policies` fixed the bug, everything is fine now.

I am going to report this to the chapeau maintainer.

Note You need to log in before you can comment on or make changes to this bug.