1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
|
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<META HTTP-EQUIV="Content-Type: text/html; charset=utf8">
<title>OpenConnect</title>
</head>
<body>
<h1>OpenConnect</h1>
<P>OpenConnect is a client for Cisco's <A HREF="http://www.cisco.com/web/go/sslvpn">AnyConnect SSL VPN</A>, which is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others.</P>
<P>OpenConnect is released under the GNU Lesser Public License, version 2.1.</P>
<P>Like <A HREF="http://www.unix-ag.uni-kl.de/~massar/vpnc/">vpnc</A>,
OpenConnect is not officially supported by, or associated in any way
with, Cisco Systems. It just happens to interoperate with their
equipment.
<P>
Development of OpenConnect was started after a trial of their "official"
client under Linux found it to have many deficiencies:
<UL>
<LI>Inability to use SSL certificates from a <A HREF="http://en.wikipedia.org/wiki/Trusted_Platform_Module">TPM</A>, or even use a passphrase.</LI>
<LI>Lack of support for Linux platforms other than i386.</LI>
<LI>Lack of integration with NetworkManager on the Linux desktop.</LI>
<LI>Lack of proper (RPM/DEB) packaging for Linux distributions.</LI>
<LI>"Stealth" use of libraries with <TT>dlopen()</TT>, even using
the development-only symlinks such as <TT>libz.so</TT> —
making it hard to properly discover the dependencies which
proper packaging would have expressed</LI>
<LI>Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.</LI>
<LI>Unable to run as an unprivileged user, which would have reduced the severity of the above bug.</LI>
<LI>Inability to audit the source code for further such "Security 101" bugs.</LI>
</UL>
Naturally, OpenConnect addresses all of the above issues, and more.
<H2>Getting started</H2>
Before you get dismayed by the badly laid out information below,
here's a simple intro to using OpenConnect.
<OL>
<LI>Install OpenConnect.<BR>
Some distributions like Fedora have packages; otherwise you can
download it and type '<TT>make</TT>' to build it. To build it,
you'll want development packages for <TT>libxml2</TT>, <TT>zlib</TT>
and obviously <TT>OpenSSL</TT> to be installed.
</LI>
<LI>Install a <TT>vpnc-script</TT>.<BR>
This script is what sets up all the addresses and routes for you; it's the
same as <TT>vpnc</TT>'s. You can get one from <A HREF="http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script">here</A> if you don't have one — or if you need IPv6 or Solaris support, which the <TT>vpnc</TT> version lacks. <I>(Note that the script needs to be executable, and stored somewhere where SELinux or similar security setups won't prevent the root user from accessing it.)</I></LI>
<LI>Connect to your server, running as root:<BR>
<TT>openconnect --script /etc/vpnc/vpnc-script https://vpn.mycompany.com/</TT></LI>
</OL>
That should be it, if you have a password-based login. If you use
certificates, you'll need to tell OpenConnect where to find the
certificate with the <TT>-c</TT> option. You might need to steal the
certificate from your Windows certificate store using a tool like <A
HREF="https://www.isecpartners.com/jailbreak.html">Jailbreak</A>.
<P>
You can ignore anything you see below about needing to patch OpenSSL
so that DTLS works — you don't really need it, although it will
make your connections much faster if you're experiencing packet loss
between you and the VPN server. But you can worry about that later.
<H2>Supported Platforms</H2>
OpenConnect is known to work on Linux, OpenBSD, FreeBSD, NetBSD, DragonFly BSD, OpenSolaris
and Mac OS X platforms, and should be trivially portable to any other platform
supporting <A HREF="http://en.wikipedia.org/wiki/TUN/TAP">TUN/TAP</a>
devices and on which <A HREF="http://www.openssl.org/">OpenSSL</a> runs.
IPv6 support is tested on Linux, FreeBSD and OpenSolaris.<P>
For Solaris support, and for IPv6 on any platform, the
<tt>vpnc-script</tt> shipped with vpnc itself (as of v0.5.3)
is not sufficient. It is necessary to use the script from my <A
HREF="http://git.infradead.org/users/dwmw2/vpnc-scripts.git">vpnc-scripts</A>
repository instead.
<P>
It is known to work on at least i386, x86_64, PowerPC and MIPS
processors, and should not have issues with portability to other CPUs.
<P>Note that 'Cisco Secure Desktop' support may require the ability to run Linux/i386 binaries; see <A HREF="#csd">below</A>.</P>
<H2>Features</H2>
<UL>
<LI>Connection through HTTP proxy, including <A HREF="http://code.google.com/p/libproxy/">libproxy</A> support for automatic proxy configuration.</LI>
<LI>Connection through SOCKS5 proxy.</LI>
<LI>Automatic detection of IPv4 and IPv6 address, routes.</LI>
<LI>Authentication via HTTP forms.</LI>
<LI>Authentication using SSL certificates, from local file or <A HREF="http://en.wikipedia.org/wiki/Trusted_Platform_Module">Trusted Platform Module</A>.</LI>
<LI><I>UserGroup</I> support for selecting between multiple configurations on a single VPN server.</LI>
<LI>Data transport over TCP <I>(HTTPS)</I> or UDP <I>(DTLS)</I>.</LI>
<LI>Keepalive and Dead Peer Detection on both HTTPS and DTLS.</LI>
<LI>Automatic update of VPN server list / configuration.</LI>
<LI>Roaming support, allowing reconnection when the local IP address changes.</LI>
<LI>Run without root privileges.</LI>
<LI>"Cisco Secure Desktop" support <I>(see below)</I>.</LI>
</UL>
<H3>Running as non-root</H3>
There are two ways that OpenConnect can run without root
privileges. The first is that it can use a tun device which is created
in advance by the root user, and set to be owned by the user who runs
OpenConnect.<P>
The second is that it can avoid using the tun device altogether and
instead spawn a user-supplied program, passing all data traffic
through a UNIX socket to that program. This latter option can be used
in conjunction with a userspace TCP stack such as <A
HREF="http://savannah.nongnu.org/projects/lwip/">lwip</A> to provide
SOCKS access to the VPN without giving full access to all untrusted
users and processes on the computer, and without requiring root
privileges at all.
<H3><A NAME="csd">Cisco Secure Desktop</A></H3>
The 'Cisco Secure Desktop' is a bit of a misnomer — it works by
downloading a trojan binary from the server and running it on your
client machine to perform some kind of 'verification' and post its
approval back to the server. This seems anything <em>but</em> secure
to me, especially given their history of trivially-exploitable
bugs.<P>
It's also fairly easy to subvert, by running your own modified binary
instead of the one you download from the server. Or by running their
binary but poking at it with gdb.<P>
We support this idiocy, but because of the security concerns the
trojan will be executed only if a userid is specified on the command
line using the <TT>--csd-user=</TT> option.
<P>
This support currently only works when the server has a Linux binary
installed, and only when that Linux binary runs on the client machine.
<H2>Mailing list</H2>
There is a mailing list at <TT><A
HREF="mailto:openconnect-devel@lists.infradead.org">
openconnect-devel@lists.infradead.org</A></TT>. To subscribe, visit the <A
HREF="http://lists.infradead.org/mailman/listinfo/openconnect-devel">Mailman admin page</A>.
<H2>TODO</H2>
<UL>
<LI>Testing IPv6 on more platforms (only Linux, FreeBSD, Solaris are tested so far).</LI>
<LI>Better support for running or emulating the 'Cisco Secure Desktop' trojan.</LI>
<LI>More platform support: Windows, Symbian, etc.</LI>
<LI>GUI for OS X, perhaps based on <A HREF="http://code.google.com/p/tunnelblick/">Tunnelblick</A>.</LI>
</UL>
<P>
Platform support for new UNIX systems is relatively simple to add
— most of the difference is in the TUN/TAP device handling, and
the major variants of that are already supported.
<P>
A port to Windows should be fairly simple, since a TUN/TAP driver
exists for Windows and Cygwin should make the basic port work OK.
<P>
A port to Symbian, to provide VPN connectivity on phone handsets,
would be very useful. Any volunteers?
<H2>Download</H2>
Development of OpenConnect is in the git repository at
<TT>git://git.infradead.org/users/dwmw2/openconnect.git</TT>, which can be viewed in gitweb at <A HREF="http://git.infradead.org/users/dwmw2/openconnect.git">http://git.infradead.org/users/dwmw2/openconnect.git</A>
<P>
Tarball releases can be downloaded from <A HREF="ftp://ftp.infradead.org/pub/openconnect/">ftp://ftp.infradead.org/pub/openconnect/</A>
<H2>Release Notes / Changelog</H2>
For full changelog entries including the latest development, see
<A HREF="http://git.infradead.org/users/dwmw2/openconnect.git">gitweb</A>.
<UL>
<LI><B>OpenConnect HEAD</B><BR>
<UL>
<LI><I>No changelog entries yet</I></LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.25.tar.gz">OpenConnect v2.25</a></B> — 2010-05-15<BR>
<UL>
<LI>Always validate server certificate, even when no extra <TT>--cafile</TT> is provided.</LI>
<LI>Add <TT>--no-cert-check</TT> option to avoid certificate validation.</LI>
<LI>Check server hostname against its certificate.</LI>
<LI>Provide text-mode function for reviewing and accepting "invalid" certificates.</LI>
<LI>Fix libproxy detection on NetBSD.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.24.tar.gz">OpenConnect v2.24</a></B> — 2010-05-07<BR>
<UL>
<LI>Forget preconfigured password after a single attempt; don't retry infinitely if it's failing.</LI>
<LI>Set <TT>$CISCO_BANNER</TT> environment variable when running script.</I></LI>
<LI>Better handling of passphrase failure on certificate files.</LI>
<LI>Fix NetBSD build (thanks to Pouya D. Tafti).</LI>
<LI>Fix DragonFly BSD build.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.23.tar.gz">OpenConnect v2.23</a></B> — 2010-04-09<BR>
<UL>
<LI>Support "Cisco Secure Desktop" trojan in NetworkManager auth-dialog.</LI>
<LI>Support proxy in NetworkManager auth-dialog.</LI>
<LI>Add <TT>--no-http-keepalive</TT> option to work around Cisco's incompetence.</LI>
<LI>Fix build on Debian/kFreeBSD.</LI>
<LI>Fix crash on receiving HTTP 404 error.</LI>
<LI>Improve workaround for server certificates lacking SSL_SERVER purpose, so that it also works with OpenSSL older than 0.9.8k.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.22.tar.gz">OpenConnect v2.22</a></B> — 2010-03-07<BR>
<UL>
<LI>Fix bug handling port numbers above 9999.</LI>
<LI>Ignore "<TT>Connection: Keep-Alive</TT>" in HTTP/1.0 to work around server bug with certificate authentication.</LI>
<LI>Handle non-standard port (and full URLs) when used with NetworkManager.</LI>
<LI>Cope with relative redirect and form URLs.</LI>
<LI>Allocate HTTP receive buffer dynamically, to cope with arbitrary size of content.</LI>
<LI>Fix server cert SHA1 comparison to be case-insensitive.</LI>
<LI>Fix build on Solaris and OSX <I>(<TT>strndup()</TT>, <TT>AI_NUMERICSERV</TT>).</I></LI>
<LI>Fix exit code with <TT>--background</TT> option.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.21.tar.gz">OpenConnect v2.21</a></B> — 2010-01-10<BR>
<UL>
<LI>Fix handling of HTTP 1.0 responses with keepalive <A HREF="https://bugzilla.redhat.com/show_bug.cgi?id=553817"><I>(RH#553817)</I></A>.</LI>
<LI>Fix case sensitivity in HTTP headers and hostname comparison on redirect.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.20.tar.gz">OpenConnect v2.20</a></B> — 2010-01-04<BR>
<UL>
<LI>Fix use-after-free bug in NetworkManager authentication dialog <A HREF="https://bugzilla.redhat.com/show_bug.cgi?id=551665"><I>(RH#551665)</I></A>.</LI>
<LI>Allow server to be specified with <TT>https://</TT> URL, including port and pathname (which Cisco calls 'UserGroup')</LI>
<LI>Support connection through HTTP and SOCKS proxies.</LI>
<LI>Handle HTTP redirection with port numbers.</LI>
<LI>Handle HTTP redirection with IPv6 literal addresses.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.12.tar.gz">OpenConnect v2.12</a></B> — 2009-12-07<BR>
<UL>
<LI>Fix buffer overflow when generating useragent string.</LI>
<LI>Cope with idiotic schizoDNS configurations by not repeating DNS lookup for VPN server on reconnects.</LI>
<LI>Support DragonFlyBSD. Probably.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.11.tar.gz">OpenConnect v2.11</a></B> — 2009-11-17<BR>
<UL>
<LI>Add IPv6 support for FreeBSD.</LI>
<LI>Support "split tunnel" mode for IPv6 routing.</LI>
<LI>Fix bug where client certificate's MD5 was only given to the
CSD trojan if a PKCS#12 certificate was used.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.10.tar.gz">OpenConnect v2.10</a></B> — 2009-11-04<BR>
<UL>
<LI>OpenSolaris support.</LI>
<LI>Preliminary support for IPv6 connectivity.</LI>
<LI>Fix session shutdown on exit.</LI>
<LI>Fix reconnection when TCP connection is closed.</LI>
<LI>Support for "Cisco Secure Desktop" idiocy.</LI>
<LI>Allow <TT>User-Agent:</TT> to be specified on command line.</LI>
<LI>Fix session termination on disconnect.</LI>
<LI>Fix recognition of certificates from OpenSSL 1.0.0.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.01.tar.gz">OpenConnect v2.01</a></B> — 2009-06-24<BR>
<UL>
<LI>Fix bug causing loss of DTLS (and lots of syslog spam about it)
after a CSTP reconnection.</LI>
<LI>Don't apply OpenSSL certificate chain workaround if we already
have "extra" certificates loaded (e.g. from a PKCS#12 file).</LI>
<LI>Load "extra" certificates from <TT>.pem</TT> files too.</LI>
<LI>Fix SEGV caused by freeing certificates after processing cert
chain.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.00.tar.gz">OpenConnect v2.00</a></B> — 2009-06-03<BR>
<UL>
<LI>Add OpenBSD and FreeBSD support.</LI>
<LI>Build with OpenSSL-0.9.7 (Mac OS X, OpenBSD, etc.)</LI>
<LI>Support PKCS#12 certificates.</LI>
<LI>Automatic detection of certificate type (PKCS#12, PEM, TPM).</LI>
<LI>Work around OpenSSL trust chain issues (<A HREF="http://rt.openssl.org/Ticket/Display.html?id=1942&user=guest&pass=guest">RT#1942</A>).</LI>
<LI>Allow PEM passphrase to be specified on command line.</LI>
<LI>Allow PEM passphrase automatically generated from the <TT>fsid</TT> of the file system on which the certificate is stored.</LI>
<LI>Fix certificate comparisons (in NM auth-dialog and <TT>--servercert</TT> option) to use SHA1 fingerprint, not signature.</LI>
<LI>Fix segfault in NM auth-dialog when changing hosts.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-1.40.tar.gz">OpenConnect v1.40</a></B> — 2009-05-27<BR>
<UL>
<LI>Fix validation of server's SSL certificate when NetworkManager runs openconnect as an unprivileged user (which can't read the real user's trust chain file).</LI>
<LI>Fix double-free of DTLS Cipher option on reconnect.</LI>
<LI>Reconnect on SSL write errors</LI>
<LI>Fix reporting of SSL errors through syslog/UI.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-1.30.tar.gz">OpenConnect v1.30</a></B> — 2009-05-13<BR>
<UL>
<LI>NetworkManager auth-dialog will now cache authentication form options.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-1.20.tar.gz">OpenConnect v1.20</a></B> — 2009-05-08<BR>
<UL>
<LI>DTLS cipher choice fixes.</LI>
<LI>Improve handling of authentication group selection.</LI>
<LI>Export more information to connection script.</LI>
<LI>Add <TT>--background</TT> option to dæmonize after connection.</LI>
<LI>Detect TCP connection closure.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-1.10.tar.gz">OpenConnect v1.10</a></B> — 2009-04-01<BR>
<UL>
<LI>NetworkManager UI rewrite with many improvements.</LI>
<LI>Support for "UserGroups" where a single server offers multiple
configurations according to the URL used to connect.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-1.00.tar.gz">OpenConnect v1.00</a></B> — 2009-03-18<BR>
<UL>
<LI>First non-beta release.</LI>
</UL>
</LI>
</UL>
<H2>NetworkManager support</H2>
Support for OpenConnect in NetworkManager has been integrated into
GNOME git and is released alongside NetworkManager's other VPN modules:
<A HREF="http://ftp.gnome.org/pub/GNOME/sources/NetworkManager-openconnect/">
http://ftp.gnome.org/pub/GNOME/sources/NetworkManager-openconnect/</A>.<P>
Unlike other VPN support in NetworkManager, the <TT>auth-dialog</TT>
tool which handles GUI authentication is part of OpenConnect itself,
rather than included in the <TT>network-manager-openconnect</TT>
package. This is because it shares a lot of code with OpenConnect, but
doesn't actually share any with NetworkManager or the other parts of
the NetworkManager support.
<H2>ConnMan support</H2>
Basic support for OpenConnect in <A
HREF="http://moblin.org/projects/connection-manager">ConnMan</A> has
been submitted, and is pending approval. It can be obtained from the
git repository at
<TT>git://git.infradead.org/users/dwmw2/connman-openconnect.git</TT>;
browsable in <A HREF="
http://git.infradead.org/users/dwmw2/connman-openconnect.git">gitweb</A>.
<H2>Requirements</H2>
The basic text-mode client uses the following libraries:
<UL>
<LI><B>OpenSSL</B> — ideally at least 0.9.8m, although all versions from 0.9.7 onwards will work for basic connectivity. See note on DTLS compatibility below.</LI>
<LI><B>libxml2</B></LI>
<LI><B>zlib</B></LI>
<LI><B><A HREF="http://code.google.com/p/libproxy/">libproxy</A></B> <I>(optionally)</I></LI>
</UL>
Mac OS X users will also need to install the
<A HREF="http://tuntaposx.sourceforge.net/">Mac OS X tun/tap driver</A>, and Solaris users will need the <A HREF="http://www.whiteboard.ne.jp/~admin2/tuntap/">Solaris one</A>. Note that for IPv6 support, the Solaris tun/tap driver from 16th Nov 2009 or newer is required.<P>
For building the NetworkManager support, you will also need:
<UL>
<LI><B>GTK</B></LI>
<LI><B>GConf</B></LI>
</UL>
Patches converting OpenConnect from libxml2 to something more compact like expat would be welcomed...
<HR>
<H2>How the VPN works</H2>
The VPN is extremely simple, based almost entirely on the standard
HTTPS and <A HREF="http://www.rfc-editor.org/rfc/rfc4347.txt">DTLS</A>
protocols. You connect to the secure web server, authenticate using
certificates and/or arbitrary web forms, and you are rewarded with a
standard HTTP cookie.<P>
You then use this cookie in an HTTP <TT>CONNECT</TT> request, and can
then pass traffic over that connection. IP addresses and routing
information are passed back and forth in the headers of that
<TT>CONNECT</TT> request.<P>
Since <A HREF="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP
over TCP is very suboptimal</A>, the VPN also attempts to use UDP
datagrams, and will only <em>actually</em> pass traffic over the HTTPS
connection if that fails. The UDP connectivity is done using Datagram
TLS, which is supported by OpenSSL.
<H2>OpenSSL/DTLS compatibility</H2>
<I><B>Note: DTLS is optional and not required for basic connectivity, as explained above.</B></I><P>
Unfortunately, Cisco used an old version of OpenSSL for their server,
which predates the official RFC and has a few differences in the
implementation of DTLS.
<P>
Compatibility support for their "speshul" version of the protocol is
in the 0.9.8m and later releases of OpenSSL (and 1.0.0-beta2 and later).
<P>
If you are using an older version of OpenSSL, DTLS will
only work if you apply this patch from OpenSSL CVS:
<UL>
<LI><A HREF="http://cvs.openssl.org/chngview?cn=18037">http://cvs.openssl.org/chngview?cn=18037</A> (OpenSSL <A HREF="http://rt.openssl.org/Ticket/Display.html?id=1751&user=guest&pass=guest">RT#1751</A>)</LI>
</UL>
For versions older than 0.9.8j, some generic DTLS bug fixes are also required:
<UL>
<LI><A HREF="http://cvs.openssl.org/chngview?cn=17500">http://cvs.openssl.org/chngview?cn=17500</A> (OpenSSL <A HREF="http://rt.openssl.org/Ticket/Display.html?id=1703&user=guest&pass=guest">RT#1703</A>)</LI>
<LI><A HREF="http://cvs.openssl.org/chngview?cn=17505">http://cvs.openssl.org/chngview?cn=17505</A> (OpenSSL <A HREF="http://rt.openssl.org/Ticket/Display.html?id=1752&user=guest&pass=guest">RT#1752</A>) </LI>
</UL>
The username/password for OpenSSL RT is 'guest/guest'
<Hr>
<H2>Distribution Status</H2>
<I>Updates to the information below are welcomed, especially for distributions (including *BSD etc.) which aren't yet mentioned.</I>
<H3>Fedora</H3>
Both <TT>openconnect</TT> and <TT>NetworkManager-openconnect</TT> packages are included in Fedora.
Fedora's OpenSSL packages include all required patches for DTLS compatibility.
<H3>Debian</H3>
The <TT>openconnect</TT> and <TT>network-manager-openconnect</TT> packages are available in unstable and testing.<BR>
<A HREF="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524982">Debian bug #524982</A> has been filed, requesting that the required patches be included in Debian's OpenSSL package.<P>
<H3>Ubuntu</H3>
Reasonably current versions of the required packages are finally included in Ubuntu 10.04 "Lucid". Older releases still have <A HREF="https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/516318">out of date OpenSSL</A> and <A HREF="https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/516324">out of date OpenConnect which doesn't work around the latest Cisco bugs</A>.
<H3>Gentoo</H3>
<A HREF="http://bugs.gentoo.org/show_bug.cgi?id=263097">Gentoo bug #263097</A> has been filed, asking for <TT>openconnect</TT> to be packaged.
<H3>NetBSD, DragonFly BSD, etc. <i>(pkgsrc)</i></H3>
There are packages for <A HREF="http://pkgsrc-wip.cvs.sourceforge.net/viewvc/pkgsrc-wip/wip/vpnc-script/">vpnc-script</A> and <A HREF="http://pkgsrc-wip.cvs.sourceforge.net/viewvc/pkgsrc-wip/wip/openconnect/">openconnect</A> in the pkgsrc-wip repository <I>(<A HREF="http://pkgsrc-wip.sourceforge.net/">pkgsrc-wip.sf.net</A>)</I>.
<H3>FreeBSD</H3>
An <TT>openconnect</TT> <A HREF="http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/openconnect/">port</A> is available for FreeBSD. FreeBSD does not yet ship a version of OpenSSL which supports Cisco's "speshul" version of DTLS.
<hr>
<address>David Woodhouse <<A HREF="mailto:dwmw2@infradead.org">dwmw2@infradead.org</A>></address>
<!-- hhmts start -->
Last modified: Sat May 15 09:23:37 BST 2010
<!-- hhmts end -->
</body> </html>
|
