cannot connect to vpn server hosted by cisco vpn with error message "tls fatal alert has been received"

[yixuan178]

Android 10, Openconnect 1.15 for Android. Log show in the screenshot. Any idea how to resove? I can use openconnect PC client (openconnect gui VPN client) 1.5.3 (32bit) to connect.

[dlenski]

Your server only supports TLSv1 with ancient and insecure 3DES cipher. (The IP address was easily visible in the original screenshot and you can use https://github.com/drwetter/testssl.sh to test it.)

$ ./testssl.sh A.B.C.D
…
 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered (deprecated)
 TLS 1.1    not offered
 TLS 1.2    not offered and downgraded to a weaker protocol
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing cipher categories 

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
 Triple DES Ciphers / IDEA                         offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            not offered
 Strong encryption (AEAD ciphers) with no FS       not offered
 Forward Secrecy strong encryption (AEAD ciphers)  not offered

 Testing server's cipher preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1
 Negotiated cipher            DES-CBC3-SHA
 Cipher per protocol

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 - 
SSLv3 (server order)
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
TLSv1 (server order)
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
TLSv1.1
 - 
TLSv1.2
 - 
TLSv1.3
 - 

I can use openconnect PC client (openconnect gui VPN client) 1.5.3 (32bit) to connect.

It's basically an accident that some older versions of OpenConnect support these servers, if built with the right GnuTLS or OpenSSL library.

I very recently added explicit support for these ancient servers with insecure crypto in OpenConnect !114. In order to reliably support these in ics-openconnect, we'll need to update to a very version of libopenconnect5 (and add an "Allow insecure crypto" checkbox in the config).

I'll probably get to it eventually, but don't hold your breath… building and testing the Android client is kind of a pain. :face_with_head_bandage:

[yixuan178]

@dlenski thanks for your response and ssl query :-D. can I know if 1.14 android app has that capability? for my app version is 1.15, can I understand I should have that parameter? how i can enable it and try to connect? i download it from https://play.google.com/store/apps/details?id=com.github.digitalsoftwaresolutions.openconnect&hl=zh&gl=US

Actually, when I used another mobile that connects that server successfully before, I also get a failed result. That is confusing me and confirm with the VPN maintainer if there has changed recently, the answer is not. :-(

[dlenski]

No released version of the Android app will reliably support these ancient servers. These servers require specific support in the OpenConnect library that wasn't added until long after the Android app was developed.

You'd need to rebuild from source to test, and enable the "insecure crypto" flag in the library.

That is confusing me and confirm with the VPN maintainer if there has changed recently, the answer is not. :-(

Traffic through this VPN should generally not be considered secure because of the ancient cryptographic algorithms that it uses.