search

fedora-silverblue / issue-tracker

Fedora Silverblue issue tracker
https://fedoraproject.org/atomic-desktops/silverblue/
123 stars 3 forks source link

[BUG] Fedora 36 - Openconnect csd-post gives empty document and indefinitely connects #274

Closed Meister1593 closed 2 years ago

Meister1593 commented 2 years ago

Describe the bug Openconnect csd post wrapper used for anyconnect vpn service fails unexpectedly with empty document returned from vpn.

To Reproduce I'm not sure if it's possible to replicate locally (requires vpn credentials) but i will at least try to replicate it the way i did

  1. Install Silverblue 36
  2. In terminal - sudo openconnect --user=user --csd-wrapper=/usr/libexec/openconnect/csd-post.sh hostname
  3. It will repeatedly try to connect and never actually establish vpn connection. It will also output 
    
-:1.1: Document is empty

^ -:1.1: Document is empty

^

while trying to connect (only once)
**Expected behavior**
Openconnect has to establish connection and give login form to proceed further

**OS version:**

State: idle BootedDeployment: ● fedora:fedora/36/x86_64/silverblue Version: 36.20220508.0 (2022-05-08T00:42:01Z) BaseCommit: dd4ac38b4030e0192777eef2c243f1b2a777f6d6526fd52b84f0a2ec2984b6bb GPGSignature: Valid signature by 53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4 RemovedBasePackages: firefox 100.0-2.fc36 gnome-software gnome-software-rpm-ostree 42.0-4.fc36 vim-minimal 2:8.2.4845-1.fc36 LayeredPackages: corectrl distrobox fish fzf gnome-tweaks google-roboto-fonts langpacks-en materia-gtk-theme neofetch neovim openssl python-pip rpmfusion-free-release rpmfusion-nonfree-release steam-devices xdotool xinput xmlstarlet-1.6.1-18.fc36.x86_64 LocalPackages: logmein-hamachi-2.1.0.203-1.x86_64



**Additional context**
I recently moved from Kinoite 35 and there vpn worked perfectly fine.
I pinned that deployment in case something like this happened and on fresh user (i cleared configs and home data before installing silverblue) my own user before installing, kinoite 35 indeed works just fine with this vpn.

On silverblue i tried downgrading openconnect to the same version as on kinoite 35, but it still didn't work and had the same problem. 
My assumption is that something is wrong with certificates but there no errors about them, even if i place `set -x` in `csd-post.sh` (that i placed in home folder)

Also, there is `xmlstarlet` installed via overlays - this was kinda required for `csd-post.sh` script, it has fallback to use it without `xmlstarlet` but it also says that it might not work without it
Meister1593 commented 2 years ago

Reverting to b816b72d315ef8cbf6973095cdb9f4a72182ed0d3ff8c9ac33fb088b77b77ce6 ostree commit from 19th February does not solve the issue too (it has openconnect 8.10-8) I did it like so: sudo ostree pull fedora:fedora/36/x86_64/silverblue --commit-metadata-only --depth=150 rpm-ostree deploy b816b72d315ef8cbf6973095cdb9f4a72182ed0d3ff8c9ac33fb088b77b77ce6

Meister1593 commented 2 years ago

Reverting to least available commit 186e73f4d1fd8cefa68a065c57d8c6bbbb9cc91cc4cb19707a91d488ddc17927 (from February 9th) does not fix issue either.

Meister1593 commented 2 years ago

Reverting to silverblue 35 (a49552f262d00a173d1e7e8d57e2afdad348e0974d1d372e92884a1679adf8e8) fixes issue completely. I will stay on 35 until i will have some sort of fix/workaround on 36, but i will keep 36 pinned for testing

tpopela commented 2 years ago

@Meister1593 would you mind reporting a bug in https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora against the openconnect component? I don't think that we will be able to help you here (we don't have the expertise).

Meister1593 commented 2 years ago

@Meister1593 would you mind reporting a bug in https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora against the openconnect component? I don't think that we will be able to help you here (we don't have the expertise).

Opened report on bugzilla

travier commented 2 years ago

Closing this one as it has been reported upstream and will be tracked there and there is a workaround in https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/comments/6.

drudoi commented 1 year ago

From https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/comments/6 the next works for me:

$ cat > /tmp/openssl.conf <<EOF
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
EOF

$ sudo OPENSSL_CONF=/tmp/openssl.conf openconnect <gateway> --csd-wrapper=/usr/lib/openconnect/csd-post.sh [other options]