How to force 'OpenConnect' client to use TLS 1.0

Question

I'm using 'OpenConnect version v8.05' on Red Hat Enterprise Linux 8.1 (Ootpa) in order to connect to a server.
The server only accepts SSLv3, TLSv1.0 ciphers and I don't have access to the server for security update/upgrade.
When I try to connect:

 [root@RHEL8 ~]# openconnect --authenticate XXX.XXX.XXX.XXX:443 -status -msg -debug   
 MTU 0 too small  
 POST https://XXX.XXX.XXX.XXX/  
 Connected to XXX.XXX.XXX.XXX:443  
 SSL negotiation with XXX.XXX.XXX.XXX  
 SSL connection failure: A packet with illegal or unsupported version was received.  
 Failed to open HTTPS connection to XXX.XXX.XXX.XXX  
 Failed to obtain WebVPN cookie

I have changed OpenSSL Min SSL Protocol by changing:

/etc/crypto-policies/back-ends/opensslcnf.config
MinProtocol = TLSv1.0

Now I'm able to handshake the server using 'openssl s_client -connect'. But the openconnect client is not yet able to connect to the server.

How can I force it to use TLS 1.0?

score 3 · Answer 1 · answered May 19 '20 at 05:38

I have filed an issue on their community issue tracker and got useful info. It is possible to allow this insecure connection with any version newer than 8.05(currently not available on rpm repositories) as mentioned by the maintainer:

$ ./openconnect --gnutls-priority "NONE:+VERS-SSL3.0:+VERS-TLS1.0:%NO_EXTENSIONS:%SSL3_RECORD_VERSION:+3DES-CBC:+ARCFOUR-128:+MD5:+SHA1:+COMP-ALL:+KX-ALL"  ***

How to force 'OpenConnect' client to use TLS 1.0

1 Answers1