SUMMARY *** Whenever you try to make a connection with openconnect to a Cisco Adaptive Security Appliance running ASA OS lower than 9.16, openconnect (compiled with openssl-3.0.x) refuses to connect and shows the following error: SSL connection failure xxxx:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../openssl-3.0.9/ssl/statem/extensions.c:893: There is a workaround, this is by connecting via the CLI using the --allow-insecure-crypto parameter, but KDE does not have a option in the graphical interface for toggling the option, giving a inconsistent user experience. *** STEPS TO REPRODUCE 1. Make a VPN connection using openconnect (via networkmanager-qt) compiled with the openssl-3.0.x library to a Cisco ASA running ASA OS older than 9.16. 2. Observe the result OBSERVED RESULT xxxx:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../openssl-3.0.9/ssl/statem/extensions.c:893: EXPECTED RESULT A working VPN connection SOFTWARE/OS VERSIONS Linux/KDE Plasma: Gentoo Linux 2.13 / KDE Plasma 5.27.6 KDE Plasma Version: 5.27.6 KDE Frameworks Version: 5.108.0 Qt Version: 5.15.10 ADDITIONAL INFORMATION
I've resolved the issue by compiling openconnect with gnutls instead of openssl. This resolves the issue for me.
Bulk transfer as requested in T17796