Closed robertzaage closed 2 months ago
Yep, OpenSSL 3 issue. I don’t believe the “legacy” trick that they did has any real world value other than causing havoc. They should have removed it or kept it as was. We’ve seen a number of broken things now because of it. 😉
though I’m not sure if Openconnect can actually allow this per config?
Cheers, Franco
I think we need a new "Allow insecure crypto" Option which adds /usr/local/sbin/openconnect --allow-insecure-crypto
to the program call. If you want , I can try my luck and prepare a PR for this. According to their docs this option can also be set in the config file. 🙂
That would be nice. Make sure the open connect version in FreeBSD ports supports this, otherwise we should aim to update the version there first.
Opnsense update last night is now showing this:
root@opnsense:~ # openconnect --protocol=gp vpn.server.com -u username POST https://vpn.server.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux Failed to connect to [ipv6]:443: Operation timed out Connected to ipv4 SSL negotiation with vpn.server.com SSL connection failure 00D0C42908000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:894: Failed to open HTTPS connection to vpn.server.com Failed to complete authentication
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug OpenConnect can't setup the connection due to a failing TLS handshake.
To Reproduce Steps to reproduce the behavior from CLI:
or just use curl:
Expected behavior A successful TLS handshake and a working vpn connection via openconnect.
Additional context The used VPN is an older Cisco ASA which doesn't get OpenSSL updates anymore. There are some workarounds available to re-enable renegotiation again, but this really shouldn't be done on a system-wide level.
See: https://github.com/openssl/openssl/issues/21296
Regression was introduced in 24.1: ports: openssl 3.0.12[6]
Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed.
Environment OPNsense 24.1.1-amd64 FreeBSD 13.2-RELEASE-p9 OpenSSL 3.0.13