Package: network-manager-openconnect Version: 1.2.10-3+b1 Severity: important X-Debbugs-Cc: [email protected]
Dear Maintainer, * What led up to the situation? Recent updates to our University's VPN, requiring upgrades to Cisco Secure Client 5.1.10.233 (Release Notes: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/release/notes/release-notes-cisco-secure-client-5-1.html#secure-client-5-1-10-xxx-new-features), have made it impossible to connect with network-manager-openconnect any longer. Before this, in order to login using SSO, the User-Agent had to be set to "AnyConnect" in order to get a WebView. Then, a user and password could be used and, after that, 2FA. Once the 2FA was successful, the VPN connection was established. Now, after 2FA is successful, VPN connection fails with these messages in the system log: ``` Connected to <VPN_IP>:443 SSL negotiation with <VPN_HOST> Server certificate verify failed: signer not found Connected to HTTPS on <VPN_HOST> with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-128-GCM) Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized Creating SSL connection failed Cookie was rejected by server; exiting. ``` * What exactly did you do (or not do) that was effective (or ineffective)? I've been troubleshooting over the past several days and nothing has been effective in getting a successful connection. The Cisco Secure Client for Linux of course works. Using a two-stage method on the command line with openconnect-sso and openconnect works. For example: 1) openconnect-sso -s https://<VPN_HOST> --ac-version "5.1.10.233" --authenticate shell This returns a COOKIE string upon success. 2) sudo sh -c 'echo "<COOKIE>" | openconnect --protocol=anyconnect \ --cookie-on-stdin --useragent="AnyConnect" VPN_HOST' This establishes the VPN connection. Thus, it seems it is network-manager-openconnect's inability to properly handle the cookie which causes the "certificate verify failed" and subsequent errors. -- System Information: Debian Release: forky/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'stable'), (500, 'oldstable'), (50, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.12.38+deb13-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages network-manager-openconnect depends on: ii adduser 3.152 ii libc6 2.41-12 ii libglib2.0-0t64 2.84.4-2 ii libnm0 1.52.1-1 ii libopenconnect5 9.12-3 ii network-manager 1.52.1-1 ii openconnect 9.12-3 network-manager-openconnect recommends no packages. network-manager-openconnect suggests no packages. -- no debconf information
