Advertisements
After I upgraded from Fedora 32 to Fedora 33 suddenly one of my VPNs started to refuse to work.
[root@localhost ~]# openconnect --authenticate xxx.xxx.xxx.xxx:443 -status -msg -debug -v
MTU 0 too small
POST https://xxx.xxx.xxx.xxx/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
SSL connection failure: A packet with illegal or unsupported version was received.
Failed to open HTTPS connection to xxx.xxx.xxx.xxx
Failed to obtain WebVPN cookieOn another machine that was not updated Fedora 32 it worked
[root@nas4 ~]# openconnect --authenticate xxx.xxx.xxx.xxx:443 -status -msg -debug
MTU 0 too small
POST https://xxx.xxx.xxx.xxx/
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Certificate from VPN server "xxx.xxx.xxx.xxx" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
--servercert pin-sha256:C0SdphdMszJEgY2qx29Jl7leJTPwt8Iyif+KB9tAkAk=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://xxx.xxx.xxx.xxx/
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://xxx.xxx.xxx.xxx/+webvpn+/index.html
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Please enter your username and password.
The I noticed in some release notes that in Fedora 33 several ciphers were completely removed.
Yes, I know we should not use unsecured ciphers but what can I do if the VPN server is not under my control and I am still forced to support a client that runs it.
The magic command is:
update-crypto-policies --set LEGACYThe above will make sure that the old deprecated ciphers are still allowed.