Openconnect vpn does not work on F36

Hello all!

I usually connect to my VPN using the openconnect module (via the network settings in KDE).
My typical configuration for it is:

  • VPN Protocol: Cisco AnyConnect
  • Gateway: SOMESERVER
  • Launch the Cisco Secure Desktop Trojan: Yes
  • CSD Shell Script: /usr/libexec/openconnect/csd-post.sh

This works fine on Fedora 35 Kinoite and other distributions, but after upgrading to Fedora 36 Kinoite, this configuration stopped working. After clicking on the connect button, an endless wait begins, and the system does not even ask me for a username and password. I checked Fedora 36 Kinoite, Fedora 36 Workstation, Fedora 36 KDE Spin - the problem is reproduced on all of them.

I have recorded the console output of the openconnect command:
Command:
openconnect SOMESERVER --csd-wrapper /usr/libexec/openconnect/csd-post.sh --dump-http-traffic

Working version on F35 Kinoite
POST https://SOMESERVER/
Attempting to connect to server 111.222.333.444:443
Connected to 111.222.333.444:443
SSL negotiation with SOMESERVER
Connected to HTTPS on SOMESERVER with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: SOMESERVER
> User-Agent: Open AnyConnect VPN Agent v8.10-7.fc35
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 221
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version who="vpn">v8.10-7.fc35</version><device-id>linux-64</device-id><group-access>https://SOMESERVER</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 21 May 2022 11:20:43 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>DefaultWEBVPNGroup</tunnel-group>
< <config-hash>1648290003289</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please enter your username and password.</message>
< <banner></banner>
< <form>
< <input type="text" name="username" label="Username:"></input>
< <input type="password" name="password" label="Password:"></input>
< <input type="password" name="secondary_password" label="Password:"></input>
< </form>
< </auth>
< <host-scan>
< <host-scan-ticket>59DEE9875657B5C601051FA1</host-scan-ticket>
< <host-scan-token>20DEEC0818DE1DAB1BE853FA</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
XML POST enabled
************************************************************************
WARNING: xmlstarlet not found in path; CSD token extraction may not work
************************************************************************
<?xml version="1.0" encoding="UTF-8"?>
<hostscan><status>TOKEN_SUCCESS</status></hostscan>
GET https://SOMESERVER/+CSCOE+/sdesktop/wait.html
> GET /+CSCOE+/sdesktop/wait.html HTTP/1.1
> Host: SOMESERVER
> User-Agent: Open AnyConnect VPN Agent v8.10-7.fc35
> Cookie: sdesktop=20DEEC0818DE1DAB1BE853FA
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
>
Got HTTP response: HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Sat, 21 May 2022 11:20:44 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
Location: /
Set-Cookie: sdesktop=20DEEC0818DE1DAB1BE853FA; path=/; secure
HTTP body chunked (-2)
< <html>x</html>
POST https://SOMESERVER/
SSL negotiation with SOMESERVER
Connected to HTTPS on SOMESERVER with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: SOMESERVER
> User-Agent: Open AnyConnect VPN Agent v8.10-7.fc35
> Cookie: sdesktop=20DEEC0818DE1DAB1BE853FA
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 221
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version who="vpn">v8.10-7.fc35</version><device-id>linux-64</device-id><group-access>https://SOMESERVER</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 21 May 2022 11:20:44 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>DefaultWEBVPNGroup</tunnel-group>
< <config-hash>1648290003289</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please enter your username and password.</message>
< <banner></banner>
< <form>
< <input type="text" name="username" label="Username:"></input>
< <input type="password" name="password" label="Password:"></input>
< <input type="password" name="secondary_password" label="Password:"></input>
< </form>
< </auth>
< <host-scan>
< <host-scan-ticket>625121D9745D34205F369723</host-scan-ticket>
< <host-scan-token>6C0968525E3314DD147AC0B4</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
Please enter your username and password.
Username:
Not working version on F36 Kinoite
POST https://SOMESERVER/
Attempting to connect to server 111.222.333.444:443
Connected to 111.222.333.444:443
SSL negotiation with SOMESERVER
Connected to HTTPS on SOMESERVER with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: SOMESERVER
> User-Agent: Open AnyConnect VPN Agent v8.10-7.fc35
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 221
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version who="vpn">v8.10-7.fc35</version><device-id>linux-64</device-id><group-access>https://SOMESERVER</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 21 May 2022 11:17:42 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>DefaultWEBVPNGroup</tunnel-group>
< <config-hash>1648290003289</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please enter your username and password.</message>
< <banner></banner>
< <form>
< <input type="text" name="username" label="Username:"></input>
< <input type="password" name="password" label="Password:"></input>
< <input type="password" name="secondary_password" label="Password:"></input>
< </form>
< </auth>
< <host-scan>
< <host-scan-ticket>4E2B44F961CB6FC0130FFD43</host-scan-ticket>
< <host-scan-token>7EAE12F26F6B45FD34DE8254</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
XML POST enabled
-:1.1: Document is empty

^
-:1.1: Document is empty

^
GET https://SOMESERVER/+CSCOE+/sdesktop/wait.html
> GET /+CSCOE+/sdesktop/wait.html HTTP/1.1
> Host: SOMESERVER
> User-Agent: Open AnyConnect VPN Agent v8.10-7.fc35
> Cookie: sdesktop=7EAE12F26F6B45FD34DE8254
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Sat, 21 May 2022 11:17:43 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
HTTP body chunked (-2)
<
< <html>
< <head>
< <meta http-equiv="refresh" content="1">
< <title>Installation</title>
< <link href="/+CSCOU+/portal.css" rel="stylesheet" type="text/css">
< <link href="/+CSCOE+/logon_custom.css" rel="stylesheet" type="text/css">
< </head>
< <body style="background-color:#ffffff; overflow:auto;">
< <table style="width:100%;height: 100%"  cellspacing=0 cellpadding=0>
< <tr>
< <td style="border-bottom:1px solid #aaaaaa" colspan=2>
< <table style="width:100%" border="0" cellpadding="0" cellspacing="0" class="cuesHeaderBg">
< <tr>
< <td colspan="2" class="cuesHeaderAccent"></td>
< </tr>
<    <tr>
<       <td class="install-title" style="height:40px; padding: 8px; font-size:larger;font-weight:bold">
<           <img src="/+CSCOU+/csco_logo.gif" align="absmiddle" alt="Logo"  title="Logo">
<           &nbsp;&nbsp;Secure Desktop
<       </td>
<    </tr>
< </tr>
< </table>
< </td>
< </tr>
<
< <td id=form_panel align=middle>
< <div id=keepout_margin>
< <table id=form_table cellspacing=0 cellpadding=0 border=0 width=300>
<
<     <tr>
<     <td colspan=2 id="logon" align="middle" valign="top">
<     <table id="form_title"  width=100% cellspacing=0  border="0">
<     <tr height=20>
<     <td id="form_title_text" colspan=2  align="middle" nowrap>
<         Secure Desktop
<     </td>
<     </tr>
<     </table>
<     </td>
< </tr>
< <tr><td colspan=2 align=middle>
< <table border=0>
< <tr>
< <td colspan=2><div  style="margin-top:10;margin-bottom:10;">
< Processing, please wait...
< </div>
< </td>
< </tr>
< <tr><td><center><img src="/+CSCOU+/progress.gif" alt="Loading..."></center></tr></td>
< <tr>
< <td align=middle colspan=2 height=40>
< </td>
< </tr>
< </table>
< </div>
< </td>
< </table>
< </div>
< </td>
< </body>
< </html>
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://SOMESERVER/+CSCOE+/sdesktop/wait.html
SSL negotiation with SOMESERVER
Connected to HTTPS on SOMESERVER with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> GET /+CSCOE+/sdesktop/wait.html HTTP/1.1
> Host: SOMESERVER
> User-Agent: Open AnyConnect VPN Agent v8.10-7.fc35
> Cookie: sdesktop=7EAE12F26F6B45FD34DE8254
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Sat, 21 May 2022 11:17:44 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
HTTP body chunked (-2)
<
< <html>
< <head>
< <meta http-equiv="refresh" content="1">
< <title>Installation</title>
< <link href="/+CSCOU+/portal.css" rel="stylesheet" type="text/css">
< <link href="/+CSCOE+/logon_custom.css" rel="stylesheet" type="text/css">
< </head>
< <body style="background-color:#ffffff; overflow:auto;">
< <table style="width:100%;height: 100%"  cellspacing=0 cellpadding=0>
< <tr>
< <td style="border-bottom:1px solid #aaaaaa" colspan=2>
< <table style="width:100%" border="0" cellpadding="0" cellspacing="0" class="cuesHeaderBg">
< <tr>
< <td colspan="2" class="cuesHeaderAccent"></td>
< </tr>
<    <tr>
<       <td class="install-title" style="height:40px; padding: 8px; font-size:larger;font-weight:bold">
<           <img src="/+CSCOU+/csco_logo.gif" align="absmiddle" alt="Logo"  title="Logo">
<           &nbsp;&nbsp;Secure Desktop
<       </td>
<    </tr>
< </tr>
< </table>
< </td>
< </tr>
<
< <td id=form_panel align=middle>
< <div id=keepout_margin>
< <table id=form_table cellspacing=0 cellpadding=0 border=0 width=300>
<
<     <tr>
<     <td colspan=2 id="logon" align="middle" valign="top">
<     <table id="form_title"  width=100% cellspacing=0  border="0">
<     <tr height=20>
<     <td id="form_title_text" colspan=2  align="middle" nowrap>
<         Secure Desktop
<     </td>
<     </tr>
<     </table>
<     </td>
< </tr>
< <tr><td colspan=2 align=middle>
< <table border=0>
< <tr>
< <td colspan=2><div  style="margin-top:10;margin-bottom:10;">
< Processing, please wait...
< </div>
< </td>
< </tr>
< <tr><td><center><img src="/+CSCOU+/progress.gif" alt="Loading..."></center></tr></td>
< <tr>
< <td align=middle colspan=2 height=40>
< </td>
< </tr>
< </table>
< </div>
< </td>
< </table>
< </div>
< </td>
< </body>
< </html>
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
...

csd-post.sh asks for utility xmlstarlet for its work, but on F35 everything works successfully without it, and on F36 this utility does not help.

You can notice that there are no lines on F36 that are on F35:

<?xml version="1.0" encoding="UTF-8"?>
<hostscan><status>TOKEN_SUCCESS</status></hostscan>

And on F36 the system starts endlessly reloading the page.

I tried to downgrade a lot of packages related to the network stack (using rpm-ostree override replace), but this did not fix the problem. I disabled firewalld, changed DNS settings (resolve.conf), all this was useless.

The only thing that somehow helped solve the problem was the use of csd-wrapper.sh instead of csd-post.sh. With its help, I successfully managed to connect to a VPN on Fedora 36 Kinoite.

I do not know what is the cause of this problem, and I have no more ideas how to investigate it. Since workaround was found, the problem is not critical. Even if no one knows how to fix this situation, then maybe this post will be at least a little useful for those who are experiencing the same problem.

1 Like

I did some digging and ran into this:

So, csd-wrapper.sh seems to download the binaries from the server whereas csd-post does not. In your case, it looks like the binaries are the only thing that work, and not whatever csd-post does.

It may be worth reporting this to upstream so they can see if they need to make any tweaks to the csd-post script? That’s what the documentation suggests also:

1 Like

Thank you so much for the answer, @ankursinha!

After reading the documentation you provided, I have investigated the problem again and, apparently, discovered the root cause.

It turned out that the request curl 'https://SOMESERVER/CACHE/sdesktop/data.xml' (which occurs inside csd-post.sh) fails with error:
SSL routines::unsafe legacy renegotiation disabled

I found a description of a similar problem in the Internet: Insomnia GitHub Issue
The workaround specified here (editing openssl.cnf) helped - after applying it, I was able to connect to a VPN with the standard csd-post.sh.

1 Like

So apparently the reason is to upgrade the OpenSSL version from 1.1.1 to 3.0.2 (Fedora Packages). Based on this, the default behaviour has been changed in version 3.0.0.

As far as I can tell, this problem is related to the use of outdated security practices on the VPN server, and it can only be solved by updating this server (not counting WA with “Options = UnsafeLegacyRenegotiation”). It’s sad, but not surprising.

Thanks again for the help, Ankur.

2 Likes

Always up to date VPN Download VPN for Linux - ProtonVPN

Yeh, there are a few other bits that have also needed us to enable legacy algorithms etc. in OpenSSL to get them working.

Here’s another topic with some more information on the update:

1 Like

Thank you, this confirms my findings.
I don’t like using “Options = UnsafeLegacyRenegotiation” as a permanent solution. If these security mechanisms were declared obsolete, then there were reasons for that. I will try to contact the owners of the VPN server and ask them to upgrade to OpenSSL 3.0.0+.

1 Like