GlobalProtect-openconnect icon indicating copy to clipboard operation
GlobalProtect-openconnect copied to clipboard

Published 20 hours ago verified publisher icon yuezk

SSL error

Open Legimet opened this issue 4 years ago • 8 comments

I'm trying to connect to a GlobalProtect VPN and get an SSL error. Here are the relevant lines:

2020-09-09 22:31:26.820 INFO  [17969] [PortalAuthenticator::authenticate@29] Preform portal prelogin at https://gpvpn.mit.edu/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2020-09-09 22:31:26.904 ERROR [17969] [PortalAuthenticator::onPreloginFinished@40] Error occurred while accessing https://gpvpn.mit.edu/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux, SSL handshake failed
2020-09-09 22:31:26.904 INFO  [17969] [GPClient::onPortalPreloginFail@276] Portal prelogin failed: Error occurred on the portal prelogin interface.

Legimet avatar Sep 10 '20 02:09 Legimet

Which version are you using? You can find the version in the log file.

yuezk avatar Sep 10 '20 02:09 yuezk

Version 1.2.5.

I did some further testing with gp-saml-gui and this seems to be due to a small Diffie-Hellman key:

gp-saml-gui.py: error: SSL error: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1123)

EDIT: I tried setting DEFAULT@SECLEVEL=1 in /etc/ssl/openssl.cnf and this works when I'm using gp-saml-gui, as it opens the WebkitGTK view which allows me to successfully log in. Is there a way to do this without making a system-wide change?

However, gpclient fails, as it tries to connect to a gateway instead of portal, if I understand correctly:

2020-09-09 23:02:14.399 INFO  [20601] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2020-09-09 23:02:14.399 INFO  [20601] [gpclient::helper::parseGatewayResponse@51] The gateway response is: 
var respStatus = "Error";
var respMsg = "Authentication failure: Invalid username or password";
thisForm.inputStr.value = "";


Segmentation fault

Legimet avatar Sep 10 '20 03:09 Legimet

@legimet Can you help paste out the log above 2020-09-09 23:02:14.399 INFO [20601] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...?

I need to understand the workflow for your VPN server.

yuezk avatar Sep 10 '20 03:09 yuezk 

2020-09-09 23:44:46.316 INFO  [22126] [main@22] GlobalProtect started, version: v1.2.5
2020-09-09 23:44:46.999 INFO  [22126] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2020-09-09 23:44:48.594 INFO  [22126] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2020-09-09 23:44:48.645 INFO  [22126] [GPClient::doConnect@205] Start connecting...
2020-09-09 23:44:48.645 INFO  [22126] [GPClient::doConnect@221] Start gateway login using the previously saved gateway...
2020-09-09 23:44:48.645 INFO  [22126] [GPClient::gatewayLogin@316] Performing gateway login...
2020-09-09 23:44:48.656 INFO  [22126] [GatewayAuthenticator::authenticate@26] Start gateway authentication...
2020-09-09 23:44:48.657 INFO  [22126] [GatewayAuthenticator::login@38] Trying to login the gateway at https://gpvpn.mit.edu/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=legimet&ok=Login&direct=yes&clientVer=4100&os-version=Debian GNU%2FLinux bullseye%2Fsid&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=
2020-09-09 23:44:49.033 INFO  [22126] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2020-09-09 23:44:49.033 INFO  [22126] [gpclient::helper::parseGatewayResponse@51] The gateway response is: 
var respStatus = "Error";
var respMsg = "Authentication failure: Invalid username or password";
thisForm.inputStr.value = "";


Segmentation fault

And I'm pretty sure gpvpn.mit.edu is a portal.

Legimet avatar Sep 10 '20 03:09 Legimet

I see. Some of the portal servers also have the gateway deployed. So the connect workflow for this client is: it will try to connect to the gateway first, if failed, then it will fallback to the portal login. But for your case, the client crashed because of the unexpected response and it has no chance to run the fallback logic.

I will take a look at this, please stay tuned.

yuezk avatar Sep 10 '20 03:09 yuezk

Any updates on this?

lakshay2010sharma avatar Apr 30 '22 04:04 lakshay2010sharma

Hi I had a similar issue due to update to Ubuntu 22.10. I was searching how to fix this and found that bug: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268 Then user suoko mentioned about that: The gpclient GUI works too. When I ran that command I was surprised that your app gui window popped out. So the solution is to first:

  • set client os value to Windows in settings of gui
  • create file mentioned in bug: ~/ssl.conf 
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
  • use command: OPENSSL_CONF=~/ssl.conf gpclient to run gui and proceed with logging in.

For me those worked. I hope it will work for others too.

@yuezk if you have info how to write that down into settings custom parameters window let us know. I don't know maybe just passing value of the file directly or some flag to pass openssl_conf?

AdrianHarenczyk avatar May 06 '22 05:05 AdrianHarenczyk

@AdrianHarenczyk Your problem is duplicated of #142, which has been fixed in 1.4.2.

yuezk avatar May 07 '22 07:05 yuezk

No longer a problem in the 2.x release, closing.

yuezk avatar Jan 25 '24 12:01 yuezk