Support for old VPNs using legacy ciphers on #Fedora #Linux

By | January 29, 2021

After I upgraded from Fedora 32 to Fedora 33 suddenly one of my VPNs started to refuse to work.

[root@localhost ~]# openconnect --authenticate xxx.xxx.xxx.xxx:443 -status -msg -debug -v
MTU 0 too small
POST https://xxx.xxx.xxx.xxx/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
SSL connection failure: A packet with illegal or unsupported version was received.
Failed to open HTTPS connection to xxx.xxx.xxx.xxx
Failed to obtain WebVPN cookie

On another machine that was not updated Fedora 32 it worked

[root@nas4 ~]# openconnect --authenticate xxx.xxx.xxx.xxx:443 -status -msg -debug
MTU 0 too small
POST https://xxx.xxx.xxx.xxx/
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found

Certificate from VPN server "xxx.xxx.xxx.xxx" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:C0SdphdMszJEgY2qx29Jl7leJTPwt8Iyif+KB9tAkAk=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://xxx.xxx.xxx.xxx/
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://xxx.xxx.xxx.xxx/+webvpn+/index.html
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Please enter your username and password.

The I noticed in some release notes that in Fedora 33 several ciphers were completely removed.
Yes, I know we should not use unsecured ciphers but what can I do if the VPN server is not under my control and I am still forced to support a client that runs it.

The magic command is:

update-crypto-policies --set LEGACY

The above will make sure that the old deprecated ciphers are still allowed.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.