Openconnect hangs upon connecting

This is affecting Oneiric and has been fixed upstream already, according to: http://www.infradead.org/openconnect/changelog.html

"OpenConnect v3.12 — 2011-09-12
Fix DTLS compatibility with ASA firmware 8.4.1(11) and above."

This seems SRU worthy since it will be impacting any users who are connecting to an ASA with new firmware.

Yes, let's consider this for SRU, I'll start getting that package prepared.

a new version of "openconnect" implies a new build of "network-manager-openconnect-gnome" against the new version of "openconnect" as well, since the auth-dialog[1] in this package gives https connection errors when build against v3.02 of openconnect.

[1] /usr/lib/NetworkManager/nm-openconnect-auth-dialog

pittipatti is correct. I'll elucidate...

Long ago (commit 3bee59c in v2.26) we switched from using TLSv1 to SSLv3, because some servers (or their firewalls) seem to reject any connections with Hello extensions.

In v3.11 (commit 4ad3d6c) we changed that again, because some servers also reject SSLv3 connections. Now we use TLSv1 but explicitly disable extensions. This should work everywhere.

We have *also* made openconnect export this code as a proper shared library, so when things like that are updated it will automatically take effect in the auth-dialog too. Older versions (including v3.02) only exported a *static* library because we weren't quite ready to call the API "stable" at that point.

What you need to do is update the openconnect package and make sure you're installing the shared library, and then make sure your network-manager-openconnect (and kde4-plasma-networkmanagement) packages are using the *shared* library for their authentication dialogs.

Oh, but in this case we won't be shipping 3.11; just cherry-picking the relevant issues. Shouldn't this just work?

Unfortunately I'm just relying on help to test this, since I don't have the required infrastructure.

I will be able to get the package tested.

Hi all,

openconnect 3.02-1ubuntu1 was accepted in oneiric-proposed 4 weeks ago already (https://launchpad.net/ubuntu/+source/openconnect/3.02-1ubuntu1).

Tom, could you please try to get testing done for this and confirm whether it's working properly?

I've just installed Oneiric into a VM and tested it.

Firstly, network-manager-openconnect isn't installed by default. So users will be confused and may even try installing the horridly broken Cisco AnyConnect stuff. Please fix that. The VPN packages for NetworkManager are *so* small it's not worth *not* having them.

Secondly, after installing the package the first connection attempt fails thus:
Dec 2 19:15:43 oneiric NetworkManager[831]: <info> VPN plugin state changed: 1
Dec 2 19:15:44 oneiric NetworkManager[831]: <error> [1322853344.24434] [nm-vpn-connection.c:882] get_secrets_cb(): Failed to request VPN secrets #2: (6) No agents were available for this request.

I ran nm-applet from a terminal (giving me two of them in the panel), and then it worked. I don't think my server is yet updated to the firmware revision which objects to the DTLS retries, but tcpdump seems to confirm that we *aren't* sending the duplicate Change Cipher Spec and Encrypted Handshake messages that were causing the problem. Which is what I'd expect, since you are using OpenSSL 1.0.0e.

It *is* still using SSLv3 though, which is fixed by upstream commit 4ad3d6ce4c8f103a724c0632e483a8494f92ddaf

While you're at it, you want to pick up this commit if you're building with libproxy support:
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/88f79bb89

Status changed to 'Confirmed' because the bug affects multiple users.

The fix for this bug has been awaiting testing feedback in the -proposed repository for oneiric for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

The version of openconnect in oneiric-proposed has been removed as the bugs it was fixing (including this one) were not verified in a timely fashion.

oneiric has seen the end of its life and is no longer receiving any updates. Marking the oneiric task for this ticket as "Won't Fix".