Support for old VPNs using legacy ciphers on #Fedora #Linux

By | January 29, 2021

After I upgraded from Fedora 32 to Fedora 33 suddenly one of my VPNs started to refuse to work.

[root@localhost ~]# openconnect --authenticate xxx.xxx.xxx.xxx:443 -status -msg -debug -v
MTU 0 too small
POST https://xxx.xxx.xxx.xxx/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
SSL connection failure: A packet with illegal or unsupported version was received.
Failed to open HTTPS connection to xxx.xxx.xxx.xxx
Failed to obtain WebVPN cookie

On another machine that was not updated Fedora 32 it worked

[root@nas4 ~]# openconnect --authenticate xxx.xxx.xxx.xxx:443 -status -msg -debug
MTU 0 too small
POST https://xxx.xxx.xxx.xxx/
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found

Certificate from VPN server "xxx.xxx.xxx.xxx" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:C0SdphdMszJEgY2qx29Jl7leJTPwt8Iyif+KB9tAkAk=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://xxx.xxx.xxx.xxx/
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://xxx.xxx.xxx.xxx/+webvpn+/index.html
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Please enter your username and password.

The I noticed in some release notes that in Fedora 33 several ciphers were completely removed.
Yes, I know we should not use unsecured ciphers but what can I do if the VPN server is not under my control and I am still forced to support a client that runs it.

The magic command is:

update-crypto-policies --set LEGACY

The above will make sure that the old deprecated ciphers are still allowed.

3 thoughts on “Support for old VPNs using legacy ciphers on #Fedora #Linux

  1. Don Beusee

    Thanks! That command helped me too in FC35 after upgrading to it! 🙂

    Reply
  2. myapit

    thanks a lot , your magic command work on my Fedora 34. Happen to me after upgrade to F34.

    Reply
    1. George Valentin Voina Post author

      I am glad it was a helpful post. I remember it took me two days to realize what to do. Having a new “SECURE” system is OK but sometimes people forget that there are people out there that have to maintain decades old stuff 🙁

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.