Bug 553817 - openconnect 2.20 broken my VPN connection.
Summary: openconnect 2.20 broken my VPN connection.
Alias: None
Product: Fedora
Classification: Fedora
Component: openconnect
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: David Woodhouse
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-01-08 23:39 UTC by Arnold Wang
Modified: 2010-01-12 23:51 UTC (History)
1 user (show)

Fixed In Version: 2.21-1.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-01-12 23:35:17 UTC
Type: ---

Attachments (Terms of Use)

Description Arnold Wang 2010-01-08 23:39:52 UTC
Description of problem:
I have been using OpenConnect to connect my company's ASA VPN server for a while. However, after it is upgraded to 2.20 recently, it stopped working. When I tried to connect, it just hung after it finished SSL negotiation. I was not even prompted for user name and password.

Version-Release number of selected component (if applicable):
openconnect 2.20

How reproducible:
The problem is consistent, as far as I can tell.

Steps to Reproduce:
1. Open NetworkManager, select VPN connection
2. Select the server I need connect to.
Actual results:
It just hung. According to the log, it found the server and finished SSL negotiation.

Expected results:
I would b e prompted for username and password.

Additional info:
I down graded openconnect to 2.12 and it started working again.

Comment 1 David Woodhouse 2010-01-09 13:19:48 UTC
Eep. Sorry about that.

You forgot to tell me the address of your VPN server, but thankfully Google provided that information. I was about to go down a rathole looking for problems in the UI code, but actually the problem is elsewhere -- it just fails on the initial connection even when you use openconnect on the command line.

The first response from the server is an HTTP redirect -- and in your case it looks like that's an HTTP 1.0 response not HTTP 1.1. And it looks like this commit was broken:

The code is now waiting for the HTTP server to send the response body and then close the connection -- but the HTTP server actually sent 'Connection: Keep-Alive' and 'Content-Length: 0' headers and _doesn't_ close the connection. So openconnect waits for ever.

It needs to be fixed to realise the HTTP 1.0 servers can use the Content-Length: header too.

I've committed a fix for that and will do a little more testing, then make a new release.

Thanks for the bug report, and sorry for the inconvenience.

Comment 2 David Woodhouse 2010-01-09 13:26:55 UTC
Please could you test the build at

Comment 3 Arnold Wang 2010-01-09 23:17:34 UTC
Sorry, I forgot to include the info about my VPN server. I will be more inclusive in the future.
The new build fixed my problem.

Comment 4 Arnold Wang 2010-01-10 06:05:20 UTC
Hi David,
I need the same patch for F11 as well. Can you send the link for the patch, src RPM or F11 x86_64 RPM?
Thanks again for the quick fix.

Comment 5 David Woodhouse 2010-01-10 09:03:21 UTC
The source RPM for the scratch build in comment #2 will rebuild on F-11.
Koji hides the source packages with the PPC binary packages for some reason -- you can find it if you follow the 'ppc' buildarch link from the above-linked scratch build, to http://koji.fedoraproject.org/koji/taskinfo?taskID=1911085

Alternatively, the patch is in the git tree which I linked to above. To make it apply cleanly, you'll want to apply the previous commit (the one about case sensitivity) too.

Comment 6 Arnold Wang 2010-01-11 05:59:06 UTC
Thanks. Both my F12 and F11 are working properly now.

Comment 7 Fedora Update System 2010-01-12 23:35:12 UTC
openconnect-2.21-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2010-01-12 23:51:11 UTC
openconnect-2.21-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.