Unable to connect on Arch, does not spawn authentication window

[piazzai]

Describe the bug I have been using the PPA client from terminal on an Ubuntu-based system without problems. I am now trying to getting the AUR client to work on an Arch system, but I cannot seem to establish a connection to the portal. The issue appears related to unsafe negotiation. The greatest difference with how the client used to work on the Ubuntu-based system is that connecting does not open a window for OAuth and instead asks for my credentials in the terminal.

Expected behavior The client should pop up a browser window for OAuth login and connect to the portal without asking for credentials in the terminal.

Logs Running sudo gpclient connect <portal>:

[2025-02-11T11:59:26Z INFO  gpclient::cli] gpclient started: 2.4.3 (2025-02-08)
[2025-02-11T11:59:26Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-02-11T11:59:26Z WARN  gpapi::portal::prelogin] Network error: reqwest::Error { kind: Request, url: "https://<portal>/global-protect/prelogin.esp", source: hyper_util::client::legacy::Error(Connect, Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 167772498, library: "SSL routines", function: "final_renegotiate", reason: "unsafe legacy renegotiation disabled", file: "ssl/statem/extensions.c", line: 947 }]))) }, X509VerifyResult { code: 0, error: "ok" })) }
[2025-02-11T11:59:26Z WARN  gpclient::connect] Failed to connect portal with prelogin: error sending request for url (https://<portal>/global-protect/prelogin.esp)

Error: error sending request for url (https://<portal>/global-protect/prelogin.esp)

Caused by:
    0: client error (Connect)
    1: error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:947:
    2: error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:947:

Re-run it with the `--fix-openssl` option to work around this issue, e.g.:

gpclient --fix-openssl connect <portal>

This is what happens if I follow the advice and run sudo gpclient --fix-openssl connect <portal>:

[2025-02-11T12:05:56Z INFO  gpclient::cli] gpclient started: 2.4.3 (2025-02-08)
[2025-02-11T12:05:56Z INFO  gpapi::utils::openssl] Using 'UnsafeLegacyServerConnect' option
[2025-02-11T12:05:56Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Portal: <portal>)
? Username:

If I continue by typing my credentials:

[2025-02-11T12:08:04Z INFO  gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect
[2025-02-11T12:08:04Z INFO  gpapi::gateway::parse_gateways] Try to parse the external gateways...
[2025-02-11T12:08:04Z INFO  gpclient::connect] Connecting to the only available gateway: <portal> (<portal>)
[2025-02-11T12:08:04Z INFO  gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect
[2025-02-11T12:08:04Z WARN  gpapi::gateway::login] GP response error: reason=<none>, status=512 <unknown status code>, body=<html>
      <head></head>
      <body>
      var respStatus = "Error";
      var respMsg = "Authentication failure: Invalid username or password";
      thisForm.inputStr.value = "";
    </body>
    </html>
[2025-02-11T12:08:04Z INFO  gpclient::connect] Gateway login failed: Gateway login error: <none>
[2025-02-11T12:08:04Z INFO  gpclient::connect] Performing the gateway authentication...
[2025-02-11T12:08:04Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Gateway: <portal>)
? Username:

If I type them again (for whatever reason):

[2025-02-11T12:08:33Z INFO  gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect
[2025-02-11T12:08:34Z INFO  openconnect::ffi] openconnect version: v9.12
[2025-02-11T12:08:34Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2025-02-11T12:08:34Z INFO  openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script
[2025-02-11T12:08:34Z INFO  openconnect::ffi] OS: linux
[2025-02-11T12:08:34Z INFO  openconnect::ffi] CSD_USER: 1000
[2025-02-11T12:08:34Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2025-02-11T12:08:34Z INFO  openconnect::ffi] RECONNECT_TIMEOUT: 300
[2025-02-11T12:08:34Z INFO  openconnect::ffi] MTU: 0
[2025-02-11T12:08:34Z INFO  openconnect::ffi] DISABLE_IPV6: 0
[2025-02-11T12:08:34Z INFO  openconnect::ffi] NO_DTLS: 0
[2025-02-11T12:08:34Z INFO  openconnect::ffi] POST https://<portal>/ssl-vpn/getconfig.esp
[2025-02-11T12:08:34Z INFO  openconnect::ffi] Connected to 163.117.252.50:443
[2025-02-11T12:08:34Z INFO  openconnect::ffi] SSL negotiation with <portal>
[2025-02-11T12:08:34Z INFO  openconnect::ffi] Connected to HTTPS on <portal> with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2025-02-11T12:08:34Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2025-02-11T12:08:34Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2025-02-11T12:08:34Z WARN  openconnect::ffi] No MTU received. Calculated 1230 for ESP tunnel
[2025-02-11T12:08:34Z INFO  openconnect::ffi] POST https://<portal>/ssl-vpn/hipreportcheck.esp
[2025-02-11T12:08:34Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum a6a605fdb109349fb37929b8a2553583.
        VPN connectivity may be disabled or limited without HIP report submission.
        You need to provide a --csd-wrapper argument with the HIP report submission script.
[2025-02-11T12:08:34Z INFO  openconnect::ffi] ESP session established with server
[2025-02-11T12:08:34Z INFO  openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2025-02-11T12:08:35Z INFO  openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2025-02-11T12:08:35Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 15
[2025-02-11T12:08:35Z INFO  gpclient::connect] Wrote PID 1504545 to /var/run/gpclient.lock
[2025-02-11T12:08:44Z WARN  openconnect::ffi] ESP receive error: Connection refused
[2025-02-11T12:08:44Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2025-02-11T12:08:44Z WARN  openconnect::ffi] Failed to reconnect to host <portal>: Resource temporarily unavailable
[2025-02-11T12:08:44Z INFO  openconnect::ffi] POST https://<portal>/ssl-vpn/logout.esp
[2025-02-11T12:08:44Z WARN  openconnect::ffi] Failed to reconnect to host <portal>: Resource temporarily unavailable
[2025-02-11T12:08:44Z WARN  openconnect::ffi] Failed to open HTTPS connection to <portal>
[2025-02-11T12:08:44Z WARN  openconnect::ffi] Logout failed.
[2025-02-11T12:08:44Z INFO  openconnect::ffi] openconnect_mainloop returned -5, exiting
[2025-02-11T12:08:44Z INFO  gpclient::connect] Removing PID file

Environment:

• OS: Arch Linux x86_64
• Desktop Environment: None, i3 Window Manager
• Is remote SSH? No

Additional context Apart from the OS, another major difference with the previous situation in which I was successfully using the client on an Ubuntu derivative is that I am not using any desktop environment on Arch. There is no keyring software like GNOME Keyring or KWallet. I don't know if this relates.

[yuezk]

@piazzai you can try running it with the following command to see if it works for you.

sudo gpclient --fix-openssl connect <portal> --as-gateway --hip

[piazzai]

@yuezk Thanks for answering quickly. No luck unfortunately, running sudo gpclient --fix-openssl connect <portal> --as-gateway --hip.

[2025-02-14T10:58:06Z INFO  gpclient::cli] gpclient started: 2.4.3 (2025-02-08)
[2025-02-14T10:58:06Z INFO  gpapi::utils::openssl] Using 'UnsafeLegacyServerConnect' option
[2025-02-14T10:58:06Z INFO  gpclient::connect] Treating the server as a gateway
[2025-02-14T10:58:06Z INFO  gpclient::connect] Performing the gateway authentication...
[2025-02-14T10:58:06Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Gateway: <portal>)
? Username:

And I input my credentials.

[2025-02-14T10:59:28Z INFO  gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect
[2025-02-14T10:59:28Z INFO  openconnect::ffi] openconnect version: v9.12
[2025-02-14T10:59:28Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2025-02-14T10:59:28Z INFO  openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script
[2025-02-14T10:59:28Z INFO  openconnect::ffi] OS: linux
[2025-02-14T10:59:28Z INFO  openconnect::ffi] CSD_USER: 1000
[2025-02-14T10:59:28Z INFO  openconnect::ffi] CSD_WRAPPER: /usr/lib/openconnect/hipreport.sh
[2025-02-14T10:59:28Z INFO  openconnect::ffi] RECONNECT_TIMEOUT: 300
[2025-02-14T10:59:28Z INFO  openconnect::ffi] MTU: 0
[2025-02-14T10:59:28Z INFO  openconnect::ffi] DISABLE_IPV6: 0
[2025-02-14T10:59:28Z INFO  openconnect::ffi] NO_DTLS: 0
[2025-02-14T10:59:28Z INFO  openconnect::ffi] POST https://<portal>/ssl-vpn/getconfig.esp
[2025-02-14T10:59:29Z INFO  openconnect::ffi] Connected to 163.117.252.50:443
[2025-02-14T10:59:29Z INFO  openconnect::ffi] SSL negotiation with <portal>
[2025-02-14T10:59:29Z INFO  openconnect::ffi] Connected to HTTPS on <portal>with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2025-02-14T10:59:29Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2025-02-14T10:59:29Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2025-02-14T10:59:29Z WARN  openconnect::ffi] No MTU received. Calculated 1230 for ESP tunnel
[2025-02-14T10:59:29Z INFO  openconnect::ffi] POST https://<portal>/ssl-vpn/hipreportcheck.esp
[2025-02-14T10:59:29Z INFO  openconnect::ffi] Trying to run HIP Trojan script '/usr/lib/openconnect/hipreport.sh'.
[2025-02-14T10:59:29Z INFO  openconnect::ffi] HIP script '/usr/lib/openconnect/hipreport.sh' completed successfully (report is 2295 bytes).
[2025-02-14T10:59:29Z INFO  openconnect::ffi] POST https://<portal>/ssl-vpn/hipreport.esp
[2025-02-14T10:59:29Z INFO  openconnect::ffi] HIP report submitted successfully.
[2025-02-14T10:59:29Z INFO  openconnect::ffi] ESP session established with server
[2025-02-14T10:59:29Z INFO  openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2025-02-14T10:59:30Z INFO  openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2025-02-14T10:59:30Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 15
[2025-02-14T10:59:30Z INFO  gpclient::connect] Wrote PID 1071799 to /var/run/gpclient.lock
[2025-02-14T10:59:39Z WARN  openconnect::ffi] ESP receive error: Connection refused
[2025-02-14T10:59:39Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2025-02-14T10:59:39Z WARN  openconnect::ffi] Failed to reconnect to host <portal>: Resource temporarily unavailable
[2025-02-14T10:59:39Z INFO  openconnect::ffi] POST https://<portal>/ssl-vpn/logout.esp
[2025-02-14T10:59:39Z WARN  openconnect::ffi] Failed to reconnect to host <portal>: Resource temporarily unavailable
[2025-02-14T10:59:39Z WARN  openconnect::ffi] Failed to open HTTPS connection to <portal>
[2025-02-14T10:59:39Z WARN  openconnect::ffi] Logout failed.
[2025-02-14T10:59:39Z INFO  openconnect::ffi] openconnect_mainloop returned -5, exiting
[2025-02-14T10:59:39Z INFO  gpclient::connect] Removing PID file

Something must be happening because now the client only asks for my credentials once, which seems a bit more sane. But I'd still expect it to pop up an OAuth window.