Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1641834 - allow custom gnutls priority string via crypto-policies
Summary: allow custom gnutls priority string via crypto-policies
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openconnect
Version: 29
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: David Woodhouse
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-22 23:43 UTC by Michael Riss
Modified: 2018-11-11 04:00 UTC (History)
4 users (show)

Fixed In Version: openconnect-7.08-10.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-11 04:00:50 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Michael Riss 2018-10-22 23:43:32 UTC
Description of problem:

Sometimes you have to connect to VPN gateways that have a different 
crypto policy level than your own system. In such cases it would be nice to be
able to overrule the system default and hand a custom priority string over to 
libgnutls for connection initiation.


Suggestion:

In the openconnect.spec file replace
`--with-default-gnutls-priority="@SYSTEM"` with
`--with-default-gnutls-priority="@OPENCONNECT,@SYSTEM"`.

This way a user can create the file
/etc/crypto-policies/local.d/gnutls-openconnect.config with something like

OPENCONNECT=NONE:+DHE-RSA:+AES-256-CBC:+SHA256:+VERS-TLS1.2:+SIGN-RSA-SHA256

and can custom-fit the cipher suite of openconnect to the VPN gateway he needs
to connect to.
(don't forget to run `update-crypto-policies --set <POLICY>` afterwards)


Caveat:

This is blanket solution, all openconnect connections get the same cipher suite.
In the rough reality you probably want to define the acceptable cipher suite 
per-connection to maintain a high default cipher strength and only lower it for
the very selected VPN gateways you have to connect to and which do not 
want to/cannot raise their own cipher strength.
However, this would be a feature request upstream and for sure not just a 
one-line modification. Therefore, I'm suggesting this quick interim solution.

Comment 1 Michael Riss 2018-10-23 12:25:28 UTC
Something I forgot: Currently the update-crypto-policies - mechanism cannot
append custom configuration files to the system policy.

But hopefully this will get resolved soon:
https://bugzilla.redhat.com/show_bug.cgi?id=1641830

Comment 2 Nikos Mavrogiannopoulos 2018-10-27 10:05:46 UTC
It makes sense to me, though I'm not sure I'll be able to get to it any time soon. Would you like to make a pull request at:
https://src.fedoraproject.org/rpms/openconnect

Comment 3 Michael Riss 2018-10-31 01:03:18 UTC
Nikos, I'm trying to make some progress towards a pull request. But I'm stuck at the step where I'm logged into src.fedoraproject.org, click on "fork" of https://src.fedoraproject.org/rpms/openconnect and I'm getting endlessly greeted by "You must sign the FPCA (Fedora Project Contributor Agreement) to use pagure", which I have signed already. I will need to find someone who can get me unstuck with this. So, I'm not unwilling ... just lost in the system atm.

Comment 4 Nikos Mavrogiannopoulos 2018-10-31 06:47:29 UTC
Thank you for letting me know. Could you report it to:
https://pagure.io/fedora-infrastructure/issues
and post here the ticket you have. It is important that we have it easy for people to contribute to fedora. Sorry for that.

Comment 5 Michael Riss 2018-10-31 15:24:37 UTC
I opened the ticket (https://pagure.io/fedora-infrastructure/issue/7338).

Comment 6 Michael Riss 2018-10-31 21:09:34 UTC
Kevin quickly resolved the problem with the failing fork and now I am able to submit a pull request. So far it's one for the f29 branch (https://src.fedoraproject.org/rpms/openconnect/pull-request/2). Should I also issue one for master (it's the same change)?

Comment 7 Fedora Update System 2018-11-01 13:37:56 UTC
openconnect-7.08-9.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5bbd19daa2

Comment 8 Fedora Update System 2018-11-03 00:54:09 UTC
openconnect-7.08-9.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5bbd19daa2

Comment 9 Christian Dersch 2018-11-04 19:50:35 UTC
That change breaks VPN connection for me with NetworkManager, "Failed to set TLS priority string("@OPENCONNECT,@SYSTEM:%COMPAT"): The request is invalid"

Downgrading to openconnect-7.08-8.fc29.x86_64 makes everything work again.

Comment 10 Michael Riss 2018-11-04 22:38:54 UTC
Indeed. I can confirm this problem. This is my bad, I should have confirmed that invalid keywords get skipped as documented (https://gnutls.org/manual/html_node/Priority-Strings.html @KEYWORD). Instead it seems gnutls tries the first keyword and either this works or the whole init process fails.

This package (openconnect-7.08-9.fc29) is bad and I would like to retract it.

Currently, I think the issue needs to be resolved upstream in openconnect with a custom priority string as mentioned above or/and within gnutls to really iterate through the keywords until a valid one is found as documented.

Comment 11 Fedora Update System 2018-11-07 07:57:00 UTC
openconnect-7.08-10.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e2795753b3

Comment 12 Nikos Mavrogiannopoulos 2018-11-07 08:20:30 UTC
There was a typo on how the fallback keywords were setup. Instead of "@OPENCONNECT,SYSTEM", @OPENCONNECT,@SYSTEM was used.

Comment 13 Fedora Update System 2018-11-08 05:20:10 UTC
openconnect-7.08-10.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e2795753b3

Comment 14 Michael Riss 2018-11-09 19:01:49 UTC
Indeed, this seems to do the trick. Great catch!

Comment 15 Fedora Update System 2018-11-11 04:00:50 UTC
openconnect-7.08-10.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.