plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

os-openconnect: Regression due to required secure renegotiation in OpenSSL 3.x

Open robertzaage opened this issue 1 year ago • 4 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] The title contains the plugin to which this issue belongs

Describe the bug OpenConnect can't setup the connection due to a failing TLS handshake.

To Reproduce Steps to reproduce the behavior from CLI:

starting openconnect
+ /usr/local/sbin/openconnect -s /usr/local/opnsense/scripts/OPNsense/Openconnect/vpnc.sh '--config=/usr/local/etc/openconnect.conf' vpn.example.com
SSL connection failure
00E0AA2908000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:894:
Failed to open HTTPS connection to vpn.example.com
Failed to complete authentication

or just use curl:

# curl -vvv https://vpn.example.com
* Host vpn.example.com:443 was resolved.
* IPv6: (none)
* IPv4: 233.252.0.1
*   Trying 233.252.0.1:443...
* Connected to vpn.example.com (233.252.0.1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* OpenSSL/3.0.13: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
* Closing connection
curl: (35) OpenSSL/3.0.13: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Expected behavior A successful TLS handshake and a working vpn connection via openconnect.

Additional context The used VPN is an older Cisco ASA which doesn't get OpenSSL updates anymore. There are some workarounds available to re-enable renegotiation again, but this really shouldn't be done on a system-wide level.

See: https://github.com/openssl/openssl/issues/21296

Regression was introduced in 24.1: ports: openssl 3.0.12[6]

Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed.

Environment OPNsense 24.1.1-amd64 FreeBSD 13.2-RELEASE-p9 OpenSSL 3.0.13

robertzaage avatar Feb 11 '24 08:02 robertzaage

Yep, OpenSSL 3 issue. I don’t believe the “legacy” trick that they did has any real world value other than causing havoc. They should have removed it or kept it as was. We’ve seen a number of broken things now because of it. 😉

though I’m not sure if Openconnect can actually allow this per config?

Cheers, Franco

fichtner avatar Feb 11 '24 10:02 fichtner

I think we need a new "Allow insecure crypto" Option which adds /usr/local/sbin/openconnect --allow-insecure-crypto to the program call. If you want , I can try my luck and prepare a PR for this. According to their docs this option can also be set in the config file. 🙂

robertzaage avatar Feb 11 '24 11:02 robertzaage

That would be nice. Make sure the open connect version in FreeBSD ports supports this, otherwise we should aim to update the version there first.

fichtner avatar Feb 11 '24 11:02 fichtner

Opnsense update last night is now showing this:

root@opnsense:~ # openconnect --protocol=gp vpn.server.com -u username POST https://vpn.server.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux Failed to connect to [ipv6]:443: Operation timed out Connected to ipv4 SSL negotiation with vpn.server.com SSL connection failure 00D0C42908000000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:894: Failed to open HTTPS connection to vpn.server.com Failed to complete authentication

c4mmartin avatar Feb 15 '24 20:02 c4mmartin

Try using OpenConnect with the --allow-insecure-crypto parameter.

abinkrishnapv avatar Feb 05 '25 10:02 abinkrishnapv