Bug 472828 - Unable to connect to SSL-VPN on Cisco Adaptive Security Appliance running ASA OS older than 9.16 when compiled with openssl-3.0.x
Summary: Unable to connect to SSL-VPN on Cisco Adaptive Security Appliance running ASA...
Status: RESOLVED WORKSFORME
Alias: None
Product: plasmashell
Classification: Plasma
Component: Networking in general (show other bugs)
Version: master
Platform: Gentoo Packages Linux
: NOR normal
Target Milestone: 1.0
Assignee: Plasma Bugs List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-31 07:27 UTC by Niels
Modified: 2024-12-23 18:23 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Niels 2023-07-31 07:27:30 UTC
SUMMARY
***
Whenever you try to make a connection with openconnect to a Cisco Adaptive Security Appliance running ASA OS lower than 9.16, openconnect (compiled with openssl-3.0.x) refuses to connect and shows the following error: SSL connection failure
xxxx:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../openssl-3.0.9/ssl/statem/extensions.c:893:

There is a workaround, this is by connecting via the CLI using the --allow-insecure-crypto parameter, but KDE does not have a option in the graphical interface for toggling the option, giving a inconsistent user experience.

***


STEPS TO REPRODUCE
1. Make a VPN connection using openconnect (via networkmanager-qt) compiled with the openssl-3.0.x library to a Cisco ASA running ASA OS older than 9.16.
2. Observe the result

OBSERVED RESULT
xxxx:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../openssl-3.0.9/ssl/statem/extensions.c:893:

EXPECTED RESULT
A working VPN connection

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Gentoo Linux 2.13 / KDE Plasma 5.27.6
KDE Plasma Version: 5.27.6
KDE Frameworks Version: 5.108.0
Qt Version: 5.15.10

ADDITIONAL INFORMATION
Comment 1 Niels 2024-07-22 14:37:27 UTC
I've resolved the issue by compiling openconnect with gnutls instead of openssl. This resolves the issue for me.
Comment 2 Ben Cooksley 2024-12-23 18:23:36 UTC
Bulk transfer as requested in T17796