Active Topics
-
TLS 1.2 for N9 is ready (29)
to MeeGo / Harmattan by smatkovi - 1 hr, 57 mins ago -
Error after installing Leste on sdcard (12)
to Maemo 7 / Leste by teroyk - 2 hrs, 45 mins ago -
Camera phone competition March 2023 "Endless" (35)
to General by Maemish - 3 days, 11 hrs ago -
Maemo repository (3)
to Community by torsen - 4 days, 3 hrs ago -
Introducing ubiboot N9 (multiboot OS loader) (1,393)
to Alternatives by smatkovi - 6 days, 7 hrs ago - more...
|
2011-01-28
, 16:23
|
|
Posts: 323 |
Thanked: 180 times |
Joined on Oct 2009
@ Gent, Belgium
|
#62
|
some updates:
I patched and compiled the latest version of openconnect 2.26 and it works!
BUT (there's always a but ...)
I need some help here. I'm still on PR1.2 (lazy, I know) and the SDK is on PR1.3. When I'm building the DEB file, it receives a dependency of libssl >=0.9.8m.
So it doesn't install on mine,as I have a version 0.9.8e from PR1.2.
But when looking in details at my libssl package in FAP, I see there's now a 0.9.8n version available. I upgraded to that one (it also upgraded openssl alongside) and as expected, it now accepts and installs my new openconnect 2.26 DEB.
Can people check if libssl 0.9.8n is indeed the version supplied with PR1.3 ?
First hurdle taken.
Then, when connecting via the openconnect-gui, using the 2.26 version (no other changes), I'm getting a nice error log message about the server certificate not being verifiable due to missing local issuer certificate and asking if I want to accept the certificate anyway. Of course, the openconnect-gui doesn't handle this user input situation.
When running openconnect in xterm, I can enter 'yes' and it connects fine to my VPN server, all fine, as planned.
I think I can also override this check when calling the openconnect command, executed by the openconnect-gui, so there is no user issue with this. It might be a bit less safe. But not less safe than when using the current 2.12 solution, as that one doesn't care at all about the server certificate anyway
Do people like this proposed (eyes closed) behaviour ?
The very good thing about the new openssl 0.9.8n version is the fact it seems to allows DTLS No need for the default option (--no-dtls) anymore. Yes !!
This should allow performance gains in dropped packets environments, like 3G connections
Of course further testing should happen, as there were some other strange messages on screen, about a dead peer. The connection is made fine though, data routed through the VPN.
I'll look into that issue if proven troublesome for some.
So if people confirm the version in PR1.3 and the preferred wanted behaviour concerning the accepting of the server certificate, I can make then make the required changes and get a new GUI version out.
For people who want to follow along, here's the latest, working openconnect 2.26 DEB.
Again, all requests/info is welcome. if time permits, I'll work on them
ps. I really need to get my stuff in garage now, getting it properly registered and using autobuild !
Maybe when I have a version of both packages, where people are happy with...
ps2. Maybe I can create my own openconnect VPN status applet, such as the one from VPNC
Last edited by Netweaver; 2011-01-28 at 16:30. Reason: extra info
I patched and compiled the latest version of openconnect 2.26 and it works!
BUT (there's always a but ...)
I need some help here. I'm still on PR1.2 (lazy, I know) and the SDK is on PR1.3. When I'm building the DEB file, it receives a dependency of libssl >=0.9.8m.
So it doesn't install on mine,as I have a version 0.9.8e from PR1.2.
But when looking in details at my libssl package in FAP, I see there's now a 0.9.8n version available. I upgraded to that one (it also upgraded openssl alongside) and as expected, it now accepts and installs my new openconnect 2.26 DEB.
Can people check if libssl 0.9.8n is indeed the version supplied with PR1.3 ?
First hurdle taken.
Then, when connecting via the openconnect-gui, using the 2.26 version (no other changes), I'm getting a nice error log message about the server certificate not being verifiable due to missing local issuer certificate and asking if I want to accept the certificate anyway. Of course, the openconnect-gui doesn't handle this user input situation.
When running openconnect in xterm, I can enter 'yes' and it connects fine to my VPN server, all fine, as planned.
I think I can also override this check when calling the openconnect command, executed by the openconnect-gui, so there is no user issue with this. It might be a bit less safe. But not less safe than when using the current 2.12 solution, as that one doesn't care at all about the server certificate anyway
Do people like this proposed (eyes closed) behaviour ?
The very good thing about the new openssl 0.9.8n version is the fact it seems to allows DTLS
No need for the default option (--no-dtls) anymore. Yes !!This should allow performance gains in dropped packets environments, like 3G connections
Of course further testing should happen, as there were some other strange messages on screen, about a dead peer. The connection is made fine though, data routed through the VPN.
I'll look into that issue if proven troublesome for some.
So if people confirm the version in PR1.3 and the preferred wanted behaviour concerning the accepting of the server certificate, I can make then make the required changes and get a new GUI version out.
For people who want to follow along, here's the latest, working openconnect 2.26 DEB.
Again, all requests/info is welcome. if time permits, I'll work on them
ps. I really need to get my stuff in garage now, getting it properly registered and using autobuild !
Maybe when I have a version of both packages, where people are happy with...
ps2. Maybe I can create my own openconnect VPN status applet, such as the one from VPNC
Last edited by Netweaver; 2011-01-28 at 16:30. Reason: extra info
| The Following User Says Thank You to Netweaver For This Useful Post: | ||
|
|
2011-01-29
, 21:39
|
|
Posts: 90 |
Thanked: 44 times |
Joined on Aug 2010
|
#63
|
hi i am using pr1.3 and xterm gives me this
(btw your new version of openconnect installs flawlessly)
(btw your new version of openconnect installs flawlessly)
Code:
Nokia-N900:~# apt-cache showpkg openssl
Package: openssl
Versions:
0.9.8n-1+maemo4+0m5 (/var/lib/apt/lists/downloads.maemo.nokia.com_fremantle_ssu_mr0_._Packages) (/var/lib/dpkg/status)
Description Language:
File: /var/lib/apt/lists/downloads.maemo.nokia.com_fremantle_ssu_mr0_._Packages
MD5: 977022bc5545601176b69704acc5df9b
Reverse Depends:
ssl-cert,openssl 0.9.8g-9
libval-threads,openssl
libval-threads,openssl
libval-threads,openssl
gsoap,openssl
libnet-ssleay-perl,openssl
libval-threads,openssl
libval-threads,openssl
libval-threads,openssl
openvpn,openssl
openvpn,openssl
mp-fremantle-generic-pr,openssl 0.9.8n-1+maemo4+0m5
libssl0.9.8,openssl 0.9.6-2
maemosec-certman-common-ca,openssl
as-daemon-0,openssl
Dependencies:
0.9.8n-1+maemo4+0m5 - libc6 (2 2.5.0-1) libssl0.9.8 (2 0.9.8m-1) zlib1g (2 1:1.2.1) ca-certificates (0 (null)) ssleay (3 0.9.2b)
Provides:
0.9.8n-1+maemo4+0m5 -
| The Following User Says Thank You to sirpaul For This Useful Post: | ||
|
|
2011-01-29
, 22:20
|
|
Posts: 323 |
Thanked: 180 times |
Joined on Oct 2009
@ Gent, Belgium
|
#64
|
thanks. That confirms already the version.
On the dtls side, it seems I've been cheering too quickly. It looks as if it's starting in dtls mode (via xterm) but when there's a network glitch, it gets a write error and it reconfigures the vpn link into SSL. So either the openssl in PR1.3 is still (partly) broken in terms of dtls support, or there is something else wrong. Anyhow, my latest gui has the --no-dtls still as a default option so no problem there.
also, in my latest gui, to avoid the servercheck, you can enter the --no-cert-check as the free option in the gui/profile, then everything connects fine, no errors/user input request anymore.
Of course it kills the possibility of specifying the usergroup in there, temporarily.
So if I don't hear objections, I'll create a new GUI, also containing this --no-cert-check option as a default.
Can people also test their connectivity, straight from xterm and via the gui ? Just wondering if the open issues people had improved by my porting of the latest version.
On the dtls side, it seems I've been cheering too quickly. It looks as if it's starting in dtls mode (via xterm) but when there's a network glitch, it gets a write error and it reconfigures the vpn link into SSL. So either the openssl in PR1.3 is still (partly) broken in terms of dtls support, or there is something else wrong. Anyhow, my latest gui has the --no-dtls still as a default option so no problem there.
also, in my latest gui, to avoid the servercheck, you can enter the --no-cert-check as the free option in the gui/profile, then everything connects fine, no errors/user input request anymore.
Of course it kills the possibility of specifying the usergroup in there, temporarily.
So if I don't hear objections, I'll create a new GUI, also containing this --no-cert-check option as a default.
Can people also test their connectivity, straight from xterm and via the gui ? Just wondering if the open issues people had improved by my porting of the latest version.
|
|
2011-01-31
, 14:04
|
|
Posts: 90 |
Thanked: 44 times |
Joined on Aug 2010
|
#65
|
ok, here is my xterm output:
another problem is that i cannot enter my password, i have to open a new xterm and copy the password from there.
via the gui it wasn't possible, because i need the group feature (authgroup), so it stopped at selfsigned cert or the wrong group.
nevertheless thanks for continuing the work on openconnect!
Code:
okia-N900:~# openconnect --no-dtls --no-cert-check --user=xxxxxxx@uni-potsdam.de --verbose --authgroup=SSLVPN wlanvpn.uni-potsdam.de Attempting to connect to 172.16.3.251:443 SSL negotiation with wlanvpn.uni-potsdam.de Server certificate verify failed: self signed certificate in certificate chain Connected to HTTPS on wlanvpn.uni-potsdam.de GET https://wlanvpn.uni-potsdam.de/ Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html; charset=UTF-8 Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 31 Jan 2011 13:49:57 GMT Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) SSL negotiation with wlanvpn.uni-potsdam.de Server certificate verify failed: self signed certificate in certificate chain Connected to HTTPS on wlanvpn.uni-potsdam.de GET https://wlanvpn.uni-potsdam.de/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=<elided>; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Fixed options give Please enter your username and password. Password: POST https://wlanvpn.uni-potsdam.de/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:B551FD33CB3F3223E18C427CB8C5B9DE82B374BA&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure X-Transcend-Version: 1 HTTP body chunked (-2) Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 141.89.46.156 X-CSTP-Netmask: 255.255.255.0 X-CSTP-DNS: 141.89.65.1 X-CSTP-NBNS: 141.89.64.56 X-CSTP-Lease-Duration: 86400 X-CSTP-Session-Timeout: 86400 X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 X-CSTP-Default-Domain: uni-potsdam.de X-CSTP-Split-Exclude: 192.168.0.0/255.255.0.0 X-CSTP-Split-Exclude: 172.16.0.0/255.240.0.0 X-CSTP-Split-Exclude: 10.0.0.0/255.0.0.0 X-CSTP-Keep: true X-CSTP-Homepage: http://www.uni-potsdam.de X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: 4851F68A3FD4C98655174380154AAA55E329D3AAA7D479477E6DC24791E555C8 X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-CSTP-MTU: 1406 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false CSTP connected. DPD 30, Keepalive 20 Connected tun0 as 141.89.46.156, using SSL No --script argument provided; DNS and routing are not configured No work to do; sleeping for 20000 ms... Send CSTP Keepalive No work to do; sleeping for 10000 ms... Send
via the gui it wasn't possible, because i need the group feature (authgroup), so it stopped at selfsigned cert or the wrong group.
nevertheless thanks for continuing the work on openconnect!
|
|
2011-01-31
, 21:35
|
|
Posts: 323 |
Thanked: 180 times |
Joined on Oct 2009
@ Gent, Belgium
|
#66
|
Hi Sirpaul,
I think you're pretty close, at least on the commandline. For the gui version I need to make a change in the code. I'll try to do that asap.
You forgot to include the script, as the openconnect program wants to tell you:
This was probably your problem already with the previous version 2.12, if I recall well. At least now I know (a bit) where to look
This is a -technically- working commandline for me, you only need to add the proper Authgroup parameter and you'll be good to go, all on one line of course ... :
The "--background --syslog --no-deflate" part is optional for me. For you, just add the authgroup=abc and replace the proper variables and you're fine. You were just missing the reference to the script (borrowed from the vpnc package) which sets up all default routes etc ...
I'll start changing the gui code now, maybe by tomorrow I'l have a more flexible way of entering default (cross-profile) parameters. brrr, it's getting a bit more real now
What's the issue with the entering of the password in the 2.26 version ? My password (all kind of chars) is accepted fine, in gui and straight in xterm?
The maemo version of Openconnect (already as of 2.12) has a feature NOT found in the official openconnect version: the possiblity to add the password straight on the command prompt. That's how the gui works ...
I think you're pretty close, at least on the commandline. For the gui version I need to make a change in the code. I'll try to do that asap.
You forgot to include the script, as the openconnect program wants to tell you:
No --script argument provided; DNS and routing are not configured
This is a -technically- working commandline for me, you only need to add the proper Authgroup parameter and you'll be good to go, all on one line of course ... :
openconnect --script=/usr/share/openconnect/vpnc-script --user=jacksparrow@ilovemaemo.com --passwd=blablabla --background --syslog --no-deflate --no-cert-check vpn.ilovemaemo.com
I'll start changing the gui code now, maybe by tomorrow I'l have a more flexible way of entering default (cross-profile) parameters. brrr, it's getting a bit more real now
What's the issue with the entering of the password in the 2.26 version ? My password (all kind of chars) is accepted fine, in gui and straight in xterm?
The maemo version of Openconnect (already as of 2.12) has a feature NOT found in the official openconnect version: the possiblity to add the password straight on the command prompt. That's how the gui works ...
| The Following User Says Thank You to Netweaver For This Useful Post: | ||
|
|
2011-02-01
, 11:55
|
|
Posts: 90 |
Thanked: 44 times |
Joined on Aug 2010
|
#67
|
OMG it is working!!!!!
never thought it would ever be going to happen...
THANKS! you ve made my month!
(lol, did not even think, that i was that close...)
i just added the passwd option, it worked pretty well.
connectivity works fine, but i am just using it for some minutes.
(atm i am using my unis vpn!).
EDIT
i ve tested more and it still works good.
i had one problem when the connection was a bit strange, but a reboot did it; besides that, i haven't spotted any errors.
Last edited by sirpaul; 2011-02-03 at 21:30.
never thought it would ever be going to happen...
THANKS! you ve made my month!
(lol, did not even think, that i was that close...)
i just added the passwd option, it worked pretty well.
connectivity works fine, but i am just using it for some minutes.
(atm i am using my unis vpn!).
EDIT
i ve tested more and it still works good.
i had one problem when the connection was a bit strange, but a reboot did it; besides that, i haven't spotted any errors.
Last edited by sirpaul; 2011-02-03 at 21:30.
|
|
2011-02-05
, 23:58
|
|
Posts: 323 |
Thanked: 180 times |
Joined on Oct 2009
@ Gent, Belgium
|
#68
|
Thanks. I have uploaded the openconnect and openconnect-gui into extras-devel. This is my first upload, the building went fine. I'm not an experienced Debian package maintainer so bare with me when things might not be 100% according to the book.
The gui package uploaded in the repository differs from the .DEB as I already posted in this thread only in the 2nd default parameter, the one to disable server cert verification. The openconnect package itself is the same as the .DEB included by me in this thread.
'Normal' people should get an upgrade notice in FAP, early adopters who installed already the thread versions, might have to do a --reinstall (or remove & install) to get the latest repository versions.
Please let me know how things are going.
The "real" flexible way of entering 'random' cross-profile params will take a bit longer. That's why I released this quick fix for the gui. It will be enough (I think) for at least 80% of all N900 openconnect users
The gui package uploaded in the repository differs from the .DEB as I already posted in this thread only in the 2nd default parameter, the one to disable server cert verification. The openconnect package itself is the same as the .DEB included by me in this thread.
'Normal' people should get an upgrade notice in FAP, early adopters who installed already the thread versions, might have to do a --reinstall (or remove & install) to get the latest repository versions.
Please let me know how things are going.
The "real" flexible way of entering 'random' cross-profile params will take a bit longer. That's why I released this quick fix for the gui. It will be enough (I think) for at least 80% of all N900 openconnect users
| The Following User Says Thank You to Netweaver For This Useful Post: | ||
|
|
2011-02-13
, 19:45
|
|
Posts: 90 |
Thanked: 44 times |
Joined on Aug 2010
|
#69
|
the gui is now working flawlessly for me, after entering the authgroup parameter.
BUT i had an issue that after several times connecting to wlan + connecting to the vpn via gui openconnect was not starting via gui neither via xterm; a reboot solved iit for the moment. but dont know how to re-do it. (but thats something i can live with)
BUT i had an issue that after several times connecting to wlan + connecting to the vpn via gui openconnect was not starting via gui neither via xterm; a reboot solved iit for the moment. but dont know how to re-do it. (but thats something i can live with)
|
|
2011-02-13
, 20:11
|
|
Posts: 323 |
Thanked: 180 times |
Joined on Oct 2009
@ Gent, Belgium
|
#70
|
mmmm, a bit lost on the possible reason for the non-starting openconnect. I haven't seen this odd behaviour yet.
When it happens, can you provide me here a full log from the xterm, using the --verbose parameter as well?
I can then have a look (positive thinking) if I can see something weird.
If not, I might have to take it upstream, to the openconnect devs, fur further investigation.
Thanks for testing and glad you like it so far. With all the storms around Nokia/Microsoft/Meego now, we can only try to make our N900 as good as possible and prolong it's life, as I don't think there's a real alternative yet
When it happens, can you provide me here a full log from the xterm, using the --verbose parameter as well?
I can then have a look (positive thinking) if I can see something weird.
If not, I might have to take it upstream, to the openconnect devs, fur further investigation.
Thanks for testing and glad you like it so far. With all the storms around Nokia/Microsoft/Meego now, we can only try to make our N900 as good as possible and prolong it's life, as I don't think there's a real alternative yet
| The Following User Says Thank You to Netweaver For This Useful Post: | ||
edit: i didn't
but looking good, now i made an alert to remind me testing the new stuff
Last edited by sirpaul; 2011-01-28 at 21:34.