Bug 472828

Summary: Unable to connect to SSL-VPN on Cisco Adaptive Security Appliance running ASA OS older than 9.16 when compiled with openssl-3.0.x
Product: [Plasma] plasmashell Reporter: Niels <nvaert1986>
Component: Networking in generalAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: normal CC: lamarque, lukas.tinkl, nate, nicolas.fella
Priority: NOR    
Version First Reported In: master   
Target Milestone: 1.0   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Niels 2023-07-31 07:27:30 UTC 
SUMMARY
***
Whenever you try to make a connection with openconnect to a Cisco Adaptive Security Appliance running ASA OS lower than 9.16, openconnect (compiled with openssl-3.0.x) refuses to connect and shows the following error: SSL connection failure
xxxx:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../openssl-3.0.9/ssl/statem/extensions.c:893:

There is a workaround, this is by connecting via the CLI using the --allow-insecure-crypto parameter, but KDE does not have a option in the graphical interface for toggling the option, giving a inconsistent user experience.

***


STEPS TO REPRODUCE
1. Make a VPN connection using openconnect (via networkmanager-qt) compiled with the openssl-3.0.x library to a Cisco ASA running ASA OS older than 9.16.
2. Observe the result

OBSERVED RESULT
xxxx:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../openssl-3.0.9/ssl/statem/extensions.c:893:

EXPECTED RESULT
A working VPN connection

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Gentoo Linux 2.13 / KDE Plasma 5.27.6
KDE Plasma Version: 5.27.6
KDE Frameworks Version: 5.108.0
Qt Version: 5.15.10

ADDITIONAL INFORMATION
Comment 1 Niels 2024-07-22 14:37:27 UTC 
I've resolved the issue by compiling openconnect with gnutls instead of openssl. This resolves the issue for me.
Comment 2 Ben Cooksley 2024-12-23 18:23:36 UTC 
Bulk transfer as requested in T17796