Description of problem:
Trying to connect to the corporate VPN with a weak DH prime results in an error.
Version-Release number of selected component (if applicable):
Always (when connecting to a VPN server that is insecure)
Steps to Reproduce:
1. $ openconnect <redacted>
Connected to <redacted>:443
SSL negotiation with <redacted>
SSL connection failure: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Failed to open HTTPS connection to <redacted>
Failed to obtain WebVPN cookie
This issue is new in Fedora 28 (Fedora 27 works fine).
Note that I agree that the VPN sever is in the wrong here. But, IT departments are super slow and not exactly security conscious - especially when no Windows or Mac users are impacted. The IT department is not likely to care that the one Linux user can no longer connect to the VPN, even if the VPN server is a security liability. So, there needs to be a way to override this behavior and allow the connection to be established.
That's because of:
Just faced the same problem. Upgraded yesterday to F28 for testing purposes, now i can not connect to the VPN of the company anymore. Don't know if its easy for the IT of that company to upgrade the DH key to 2k (or better more).
I guess this is not a bug, it is more kind of a feature. When the server is badly configured (low security), it makes sense to block the connection instead of silently allowing it.
Have to use Windows 7 now to connect to the VPN :X
You can work around it as 'update-crypto-policies --set LEGACY'
Thanks, its working :)
Is there a way the error handling can be improved here. Should OpenConnect respond to GNUTLS_E_DH_PRIME_UNACCEPTABLE by printing some message about "check your distribution's crypto policies" ?
It is not only an issue on openconnect. I'm considering lowering that value:
crypto-policies-20180306-1.gitaea6928.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b849029629
crypto-policies-20180306-1.gitaea6928.fc28, openssh-7.6p1-7.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b849029629
crypto-policies-20180306-1.gitaea6928.fc28, openssh-7.6p1-7.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.