<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">After I upgraded Fedora 29 I am not able to connect to anyconnect VPN any more. The error is:</p>
<blockquote dir="auto">
<p>SSL connection failure: A TLS fatal alert has been received.</p>
</blockquote>
<p dir="auto">After further investigation I installed gnutls 3.5.18 from source and did a test via</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">gnutls-cli -V -p 443 vpn.gateway.url --debug=2</span></code></pre>
<details>
<summary>Success with version 3.8.15</summary>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"></span>
<span id="LC2" class="line" lang="plaintext">Processed 156 CA certificate(s).</span>
<span id="LC3" class="line" lang="plaintext">Resolving 'vpn.gateway.url:443'...</span>
<span id="LC4" class="line" lang="plaintext">Connecting to '123.123.123.123:443'...</span>
<span id="LC5" class="line" lang="plaintext">|<2>| HSK[0xddd6e0]: sent server name: 'vpn.gateway.url'</span>
<span id="LC6" class="line" lang="plaintext">- Certificate type: X.509</span>
<span id="LC7" class="line" lang="plaintext">- Got a certificate list of 3 certificates.</span>
<span id="LC8" class="line" lang="plaintext">- Certificate[0] info:</span>
<span id="LC9" class="line" lang="plaintext"> - X.509 Certificate Information:</span>
<span id="LC10" class="line" lang="plaintext"> Version: 3</span>
<span id="LC11" class="line" lang="plaintext"> Serial Number (hex): 18a8ff230001000017a5</span>
<span id="LC12" class="line" lang="plaintext"> Issuer: CN=COMPANY Issuing CA,OU=IT,O=COMPANY,C=DE</span>
<span id="LC13" class="line" lang="plaintext"> Validity:</span>
<span id="LC14" class="line" lang="plaintext"> Not Before: Wed Sep 20 07:56:36 UTC 2017</span>
<span id="LC15" class="line" lang="plaintext"> Not After: Fri Sep 20 08:06:36 UTC 2019</span>
<span id="LC16" class="line" lang="plaintext"> Subject: CN=vpn.gateway.url,1.2.840.113549.1.9.2=#131166772d6d75632d30312e6d7765612e6465</span>
<span id="LC17" class="line" lang="plaintext"> Subject Public Key Algorithm: RSA</span>
<span id="LC18" class="line" lang="plaintext"> Algorithm Security Level: Medium (2048 bits)</span>
<span id="LC19" class="line" lang="plaintext"> Modulus (bits 2048):</span>
<span id="LC20" class="line" lang="plaintext"> 00:a9:[stripped for sec reasons]:0a:a8</span>
<span id="LC21" class="line" lang="plaintext"> 0f</span>
<span id="LC22" class="line" lang="plaintext"> Exponent (bits 24):</span>
<span id="LC23" class="line" lang="plaintext"> 01:00:01</span>
<span id="LC24" class="line" lang="plaintext"> Extensions:</span>
<span id="LC25" class="line" lang="plaintext"> Key Usage (critical):</span>
<span id="LC26" class="line" lang="plaintext"> Digital signature.</span>
<span id="LC27" class="line" lang="plaintext"> Key encipherment.</span>
<span id="LC28" class="line" lang="plaintext"> Subject Alternative Name (not critical):</span>
<span id="LC29" class="line" lang="plaintext"> DNSname: vpn.gateway.url</span>
<span id="LC30" class="line" lang="plaintext"> DNSname: ...</span>
<span id="LC31" class="line" lang="plaintext"> DNSname: ...</span>
<span id="LC32" class="line" lang="plaintext"> Subject Key Identifier (not critical):</span>
<span id="LC33" class="line" lang="plaintext"> 01cd57c534e1189f9b3153c85a4fa12dff375ed4</span>
<span id="LC34" class="line" lang="plaintext"> Authority Key Identifier (not critical):</span>
<span id="LC35" class="line" lang="plaintext"> 4ac2d8fb3959d083555f0579f1f1bf4541b2ce4c</span>
<span id="LC36" class="line" lang="plaintext"> CRL Distribution points (not critical):</span>
<span id="LC37" class="line" lang="plaintext"> URI: ldap:///CN=Company,CN=CERT-HQ-02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=de?certificateRevocationList?base?objectClass=cRLDistributionPoint</span>
<span id="LC38" class="line" lang="plaintext"> URI: http://ca.company.de/cert.crl</span>
<span id="LC39" class="line" lang="plaintext"> Authority Information Access (not critical):</span>
<span id="LC40" class="line" lang="plaintext"> Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)</span>
<span id="LC41" class="line" lang="plaintext"> Access Location URI: ldap:///CN=Company%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Company,DC=de?cACertificate?base?objectClass=certificationAuthority</span>
<span id="LC42" class="line" lang="plaintext"> Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)</span>
<span id="LC43" class="line" lang="plaintext"> Access Location URI: http://ca.Company.de/cert.crt</span>
<span id="LC44" class="line" lang="plaintext"> Unknown extension 1.3.6.1.4.1.311.21.7 (not critical):</span>
<span id="LC45" class="line" lang="plaintext"> ASCII: 0..&+.....7.....(...Q...........v........k..d...</span>
<span id="LC46" class="line" lang="plaintext"> Hexdump: 302e06262b060104018237150886c7fe288195915186d99b0484d2c81f82ff87761287eb901084f0f96b020164020103</span>
<span id="LC47" class="line" lang="plaintext"> Key Purpose (not critical):</span>
<span id="LC48" class="line" lang="plaintext"> TLS WWW Server.</span>
<span id="LC49" class="line" lang="plaintext"> Unknown extension 1.3.6.1.4.1.311.21.10 (not critical):</span>
<span id="LC50" class="line" lang="plaintext"> ASCII: 0.0...+.......</span>
<span id="LC51" class="line" lang="plaintext"> Hexdump: 300c300a06082b06010505070301</span>
<span id="LC52" class="line" lang="plaintext"> Signature Algorithm: RSA-SHA256</span>
<span id="LC53" class="line" lang="plaintext"> Signature:</span>
<span id="LC54" class="line" lang="plaintext"> 8d:2b:[stripped for sec reasons]:59:0e</span>
<span id="LC55" class="line" lang="plaintext">Other Information:</span>
<span id="LC56" class="line" lang="plaintext"> Fingerprint:</span>
<span id="LC57" class="line" lang="plaintext"> sha1:623479822c783d2bda8f1d4074e15711ad3eb860</span>
<span id="LC58" class="line" lang="plaintext"> sha256:535ec4065ec807977c40334570280165de7957ac29ddc7197ead9e55110ec565</span>
<span id="LC59" class="line" lang="plaintext"> Public Key ID:</span>
<span id="LC60" class="line" lang="plaintext"> sha1:d7261b3e3fc8cc08479a3f3243c39d66b340fe38</span>
<span id="LC61" class="line" lang="plaintext"> sha256:c1b2249cdc672832c56b099a6a1c11a59cfdf2500f112334c3dda20d8d77d8d3</span>
<span id="LC62" class="line" lang="plaintext"> Public Key PIN:</span>
<span id="LC63" class="line" lang="plaintext"> pin-sha256:wbIknNxnKDLFawmaahwRpZz98lAPESM0w92iDY132NM=</span>
<span id="LC64" class="line" lang="plaintext"> Public key's random art:</span>
<span id="LC65" class="line" lang="plaintext"> +--[ RSA 2048]----+</span>
<span id="LC66" class="line" lang="plaintext"> | |</span>
<span id="LC67" class="line" lang="plaintext"> | |</span>
<span id="LC68" class="line" lang="plaintext"> | |</span>
<span id="LC69" class="line" lang="plaintext"> | . . . |</span>
<span id="LC70" class="line" lang="plaintext"> | + =S.+ o |</span>
<span id="LC71" class="line" lang="plaintext"> | X Bo = |</span>
<span id="LC72" class="line" lang="plaintext"> | . @ B+. |</span>
<span id="LC73" class="line" lang="plaintext"> | E * =o. |</span>
<span id="LC74" class="line" lang="plaintext"> | = . .. |</span>
<span id="LC75" class="line" lang="plaintext"> +-----------------+</span>
<span id="LC76" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>
<span id="LC77" class="line" lang="plaintext">[stripped for sec reasons]</span>
<span id="LC78" class="line" lang="plaintext">-----END CERTIFICATE-----</span>
<span id="LC79" class="line" lang="plaintext"></span>
<span id="LC80" class="line" lang="plaintext">Certificate[1] info:</span>
<span id="LC81" class="line" lang="plaintext">X.509 Certificate Information:</span>
<span id="LC82" class="line" lang="plaintext">Version: 3</span>
<span id="LC83" class="line" lang="plaintext">Serial Number (hex): 6131b673000100000006</span>
<span id="LC84" class="line" lang="plaintext">Issuer: CN=Company Root CA,OU=IT,O=Company,C=DE</span>
<span id="LC85" class="line" lang="plaintext">Validity:</span>
<span id="LC86" class="line" lang="plaintext">Not Before: Tue Jan 31 14:50:55 UTC 2017</span>
<span id="LC87" class="line" lang="plaintext">Not After: Sun Jan 31 15:00:55 UTC 2027</span>
<span id="LC88" class="line" lang="plaintext">Subject: CN=Company Issuing CA,OU=IT,O=Company,C=DE</span>
<span id="LC89" class="line" lang="plaintext">Subject Public Key Algorithm: RSA</span>
<span id="LC90" class="line" lang="plaintext">Algorithm Security Level: Medium (2048 bits)</span>
<span id="LC91" class="line" lang="plaintext">Modulus (bits 2048):</span>
<span id="LC92" class="line" lang="plaintext">00:b9:[stripped for sec reasons]:a4:98:5d</span>
<span id="LC93" class="line" lang="plaintext">07</span>
<span id="LC94" class="line" lang="plaintext">Exponent (bits 24):</span>
<span id="LC95" class="line" lang="plaintext">01:00:01</span>
<span id="LC96" class="line" lang="plaintext">Extensions:</span>
<span id="LC97" class="line" lang="plaintext">Unknown extension 1.3.6.1.4.1.311.21.1 (not critical):</span>
<span id="LC98" class="line" lang="plaintext">ASCII: .....</span>
<span id="LC99" class="line" lang="plaintext">Hexdump: 0203010001</span>
<span id="LC100" class="line" lang="plaintext">Unknown extension 1.3.6.1.4.1.311.21.2 (not critical):</span>
<span id="LC101" class="line" lang="plaintext">ASCII: ..?.m.*...o.bH.8m.....</span>
<span id="LC102" class="line" lang="plaintext">Hexdump: 04143fb56dde2af40a886fd96248c8386dc32e13beb9</span>
<span id="LC103" class="line" lang="plaintext">Subject Key Identifier (not critical):</span>
<span id="LC104" class="line" lang="plaintext">4ac2d8fb3959d083555f0579f1f1bf4541b2ce4c</span>
<span id="LC105" class="line" lang="plaintext">Unknown extension 1.3.6.1.4.1.311.20.2 (not critical):</span>
<span id="LC106" class="line" lang="plaintext">ASCII: ...S.u.b.C.A</span>
<span id="LC107" class="line" lang="plaintext">Hexdump: 1e0a00530075006200430041</span>
<span id="LC108" class="line" lang="plaintext">Key Usage (not critical):</span>
<span id="LC109" class="line" lang="plaintext">Digital signature.</span>
<span id="LC110" class="line" lang="plaintext">Certificate signing.</span>
<span id="LC111" class="line" lang="plaintext">CRL signing.</span>
<span id="LC112" class="line" lang="plaintext">Basic Constraints (critical):</span>
<span id="LC113" class="line" lang="plaintext">Certificate Authority (CA): TRUE</span>
<span id="LC114" class="line" lang="plaintext">Authority Key Identifier (not critical):</span>
<span id="LC115" class="line" lang="plaintext">231242231296a321184327fea42e6c9744bd2acd</span>
<span id="LC116" class="line" lang="plaintext">CRL Distribution points (not critical):</span>
<span id="LC117" class="line" lang="plaintext">URI: http://ca.Company.de/cert.crl</span>
<span id="LC118" class="line" lang="plaintext">Authority Information Access (not critical):</span>
<span id="LC119" class="line" lang="plaintext">Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)</span>
<span id="LC120" class="line" lang="plaintext">Access Location URI: http://ca.Company.de/cert.crt</span>
<span id="LC121" class="line" lang="plaintext">Signature Algorithm: RSA-SHA256</span>
<span id="LC122" class="line" lang="plaintext">Signature:</span>
<span id="LC123" class="line" lang="plaintext">1b:da:[stripped for sec reasons]:f5:58</span>
<span id="LC124" class="line" lang="plaintext">Other Information:</span>
<span id="LC125" class="line" lang="plaintext">Fingerprint:</span>
<span id="LC126" class="line" lang="plaintext">sha1:...</span>
<span id="LC127" class="line" lang="plaintext">sha256:...</span>
<span id="LC128" class="line" lang="plaintext">Public Key ID:</span>
<span id="LC129" class="line" lang="plaintext">sha1:...</span>
<span id="LC130" class="line" lang="plaintext">sha256:...</span>
<span id="LC131" class="line" lang="plaintext">Public Key PIN:</span>
<span id="LC132" class="line" lang="plaintext">pin-sha256:...</span>
<span id="LC133" class="line" lang="plaintext">Public key's random art:</span>
<span id="LC134" class="line" lang="plaintext">+--[ RSA 2048]----+</span>
<span id="LC135" class="line" lang="plaintext">| |</span>
<span id="LC136" class="line" lang="plaintext">| |</span>
<span id="LC137" class="line" lang="plaintext">| . . |</span>
<span id="LC138" class="line" lang="plaintext">| . o . |</span>
<span id="LC139" class="line" lang="plaintext">| o S . . .|</span>
<span id="LC140" class="line" lang="plaintext">| . .+.o+|</span>
<span id="LC141" class="line" lang="plaintext">| .. o..+o|</span>
<span id="LC142" class="line" lang="plaintext">| ...+ .=.o|</span>
<span id="LC143" class="line" lang="plaintext">| ..+=..o.oE=|</span>
<span id="LC144" class="line" lang="plaintext">+-----------------+</span>
<span id="LC145" class="line" lang="plaintext"></span>
<span id="LC146" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>
<span id="LC147" class="line" lang="plaintext">[stripped for sec reasons]</span>
<span id="LC148" class="line" lang="plaintext">-----END CERTIFICATE-----</span>
<span id="LC149" class="line" lang="plaintext"></span>
<span id="LC150" class="line" lang="plaintext">Certificate[2] info:</span>
<span id="LC151" class="line" lang="plaintext">X.509 Certificate Information:</span>
<span id="LC152" class="line" lang="plaintext">Version: 3</span>
<span id="LC153" class="line" lang="plaintext">Serial Number (hex): 65c4668ec11c90b94561d2c7a8304140</span>
<span id="LC154" class="line" lang="plaintext">Issuer: CN=Company Root CA,OU=IT,O=Company,C=DE</span>
<span id="LC155" class="line" lang="plaintext">Validity:</span>
<span id="LC156" class="line" lang="plaintext">Not Before: Tue Jan 31 12:33:52 UTC 2017</span>
<span id="LC157" class="line" lang="plaintext">Not After: Sat Jan 31 12:43:52 UTC 2032</span>
<span id="LC158" class="line" lang="plaintext">Subject: CN=Company Root CA,OU=IT,O=Company,C=DE</span>
<span id="LC159" class="line" lang="plaintext">Subject Public Key Algorithm: RSA</span>
<span id="LC160" class="line" lang="plaintext">Algorithm Security Level: High (4096 bits)</span>
<span id="LC161" class="line" lang="plaintext">Modulus (bits 4096):</span>
<span id="LC162" class="line" lang="plaintext">00:b8:e1:2e:[stripped for sec reasons]:70:fe</span>
<span id="LC163" class="line" lang="plaintext">c7</span>
<span id="LC164" class="line" lang="plaintext">Exponent (bits 24):</span>
<span id="LC165" class="line" lang="plaintext">01:00:01</span>
<span id="LC166" class="line" lang="plaintext">Extensions:</span>
<span id="LC167" class="line" lang="plaintext">Key Usage (not critical):</span>
<span id="LC168" class="line" lang="plaintext">Digital signature.</span>
<span id="LC169" class="line" lang="plaintext">Certificate signing.</span>
<span id="LC170" class="line" lang="plaintext">CRL signing.</span>
<span id="LC171" class="line" lang="plaintext">Basic Constraints (critical):</span>
<span id="LC172" class="line" lang="plaintext">Certificate Authority (CA): TRUE</span>
<span id="LC173" class="line" lang="plaintext">Subject Key Identifier (not critical):</span>
<span id="LC174" class="line" lang="plaintext">231242231296a321184327fea42e6c9744bd2acd</span>
<span id="LC175" class="line" lang="plaintext">Unknown extension 1.3.6.1.4.1.311.21.1 (not critical):</span>
<span id="LC176" class="line" lang="plaintext">ASCII: .....</span>
<span id="LC177" class="line" lang="plaintext">Hexdump: 0203010001</span>
<span id="LC178" class="line" lang="plaintext">Unknown extension 1.3.6.1.4.1.311.21.2 (not critical):</span>
<span id="LC179" class="line" lang="plaintext">ASCII: ......F.|7E....&..)mi</span>
<span id="LC180" class="line" lang="plaintext">Hexdump: 0414819414f746907c3745bd2aa5cc9226eefb296d69</span>
<span id="LC181" class="line" lang="plaintext">Signature Algorithm: RSA-SHA256</span>
<span id="LC182" class="line" lang="plaintext">Signature:</span>
<span id="LC183" class="line" lang="plaintext">10:04:[stripped for sec reasons]:68:3e</span>
<span id="LC184" class="line" lang="plaintext">Other Information:</span>
<span id="LC185" class="line" lang="plaintext">Fingerprint:</span>
<span id="LC186" class="line" lang="plaintext">sha1:...</span>
<span id="LC187" class="line" lang="plaintext">sha256:...</span>
<span id="LC188" class="line" lang="plaintext">Public Key ID:</span>
<span id="LC189" class="line" lang="plaintext">sha1:...</span>
<span id="LC190" class="line" lang="plaintext">sha256:...</span>
<span id="LC191" class="line" lang="plaintext">Public Key PIN:</span>
<span id="LC192" class="line" lang="plaintext">pin-sha256:...</span>
<span id="LC193" class="line" lang="plaintext">Public key's random art:</span>
<span id="LC194" class="line" lang="plaintext">+--[ RSA 4096]----+</span>
<span id="LC195" class="line" lang="plaintext">| o+o |</span>
<span id="LC196" class="line" lang="plaintext">| =Eo.. |</span>
<span id="LC197" class="line" lang="plaintext">| . B o . |</span>
<span id="LC198" class="line" lang="plaintext">| o = + |</span>
<span id="LC199" class="line" lang="plaintext">| . S + |</span>
<span id="LC200" class="line" lang="plaintext">| * + . |</span>
<span id="LC201" class="line" lang="plaintext">| o . o . |</span>
<span id="LC202" class="line" lang="plaintext">| .o +o |</span>
<span id="LC203" class="line" lang="plaintext">| oooo. |</span>
<span id="LC204" class="line" lang="plaintext">+-----------------+</span>
<span id="LC205" class="line" lang="plaintext"></span>
<span id="LC206" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>
<span id="LC207" class="line" lang="plaintext">[stripped for sec reasons]</span>
<span id="LC208" class="line" lang="plaintext">-----END CERTIFICATE-----</span>
<span id="LC209" class="line" lang="plaintext"></span>
<span id="LC210" class="line" lang="plaintext"></span>
<span id="LC211" class="line" lang="plaintext">Status: The certificate is trusted.</span>
<span id="LC212" class="line" lang="plaintext"></span>
<span id="LC213" class="line" lang="plaintext"></span>
<span id="LC214" class="line" lang="plaintext">Description: (TLS1.2)-(RSA)-(AES-256-CBC)-(SHA256)</span>
<span id="LC215" class="line" lang="plaintext"></span>
<span id="LC216" class="line" lang="plaintext"></span>
<span id="LC217" class="line" lang="plaintext">Session ID: 40:09:5D:29:44:EF:64:E2:F0:71:31:30:53:59:97:E3:21:56:AB:50:AA:04:08:29:EB:08:EB:01:8A:F0:FF:47</span>
<span id="LC218" class="line" lang="plaintext"></span>
<span id="LC219" class="line" lang="plaintext"></span>
<span id="LC220" class="line" lang="plaintext">Version: TLS1.2</span>
<span id="LC221" class="line" lang="plaintext"></span>
<span id="LC222" class="line" lang="plaintext"></span>
<span id="LC223" class="line" lang="plaintext">Key Exchange: RSA</span>
<span id="LC224" class="line" lang="plaintext"></span>
<span id="LC225" class="line" lang="plaintext"></span>
<span id="LC226" class="line" lang="plaintext">Cipher: AES-256-CBC</span>
<span id="LC227" class="line" lang="plaintext"></span>
<span id="LC228" class="line" lang="plaintext"></span>
<span id="LC229" class="line" lang="plaintext">MAC: SHA256</span>
<span id="LC230" class="line" lang="plaintext"></span>
<span id="LC231" class="line" lang="plaintext"></span>
<span id="LC232" class="line" lang="plaintext">Compression: NULL</span>
<span id="LC233" class="line" lang="plaintext"></span>
<span id="LC234" class="line" lang="plaintext"></span>
<span id="LC235" class="line" lang="plaintext">Options: safe renegotiation,</span>
<span id="LC236" class="line" lang="plaintext"></span>
<span id="LC237" class="line" lang="plaintext"></span>
<span id="LC238" class="line" lang="plaintext">Channel binding 'tls-unique': dc551fc134a28bbffc427b0f</span>
<span id="LC239" class="line" lang="plaintext"></span>
<span id="LC240" class="line" lang="plaintext"></span>
<span id="LC241" class="line" lang="plaintext">Handshake was completed</span>
<span id="LC242" class="line" lang="plaintext"></span>
<span id="LC243" class="line" lang="plaintext"></span>
<span id="LC244" class="line" lang="plaintext">Simple Client Mode:</span>
<span id="LC245" class="line" lang="plaintext"></span>
<span id="LC246" class="line" lang="plaintext"></span>
<span id="LC247" class="line" lang="plaintext"></span></code></pre>
</details>
<details>
<summary>Handshake fails with version 3.6.5</summary>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"></span>
<span id="LC2" class="line" lang="plaintext">|<2>| Initializing needed PKCS #11 modules</span>
<span id="LC3" class="line" lang="plaintext">|<2>| p11: Initializing module: p11-kit-trust</span>
<span id="LC4" class="line" lang="plaintext">|<2>| p11: No login requested.</span>
<span id="LC5" class="line" lang="plaintext">|<2>| p11: No login requested.</span>
<span id="LC6" class="line" lang="plaintext">Processed 186 CA certificate(s).</span>
<span id="LC7" class="line" lang="plaintext">Resolving 'vpn.gateway.url'...</span>
<span id="LC8" class="line" lang="plaintext">Connecting to '123.123.123.123:443'...</span>
<span id="LC9" class="line" lang="plaintext">|<2>| system priority /etc/crypto-policies/back-ends/gnutls.config has not changed</span>
<span id="LC10" class="line" lang="plaintext">|<2>| resolved 'SYSTEM' to 'NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:+COMP-NULL:%PROFILE_LOW', next ''</span>
<span id="LC11" class="line" lang="plaintext">|<2>| selected priority string: NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:+COMP-NULL:%PROFILE_LOW</span>
<span id="LC12" class="line" lang="plaintext">|<2>| added 6 protocols, 29 ciphersuites, 18 sig algos and 9 groups into priority list</span>
<span id="LC13" class="line" lang="plaintext">|<2>| Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)</span>
<span id="LC14" class="line" lang="plaintext">|<2>| Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)</span>
<span id="LC15" class="line" lang="plaintext">|<2>| Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)</span>
<span id="LC16" class="line" lang="plaintext">|<2>| Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)</span>
<span id="LC17" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)</span>
<span id="LC18" class="line" lang="plaintext">|<2>| Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)</span>
<span id="LC19" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)</span>
<span id="LC20" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)</span>
<span id="LC21" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)</span>
<span id="LC22" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)</span>
<span id="LC23" class="line" lang="plaintext">|<2>| Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)</span>
<span id="LC24" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)</span>
<span id="LC25" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)</span>
<span id="LC26" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)</span>
<span id="LC27" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)</span>
<span id="LC28" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)</span>
<span id="LC29" class="line" lang="plaintext">|<2>| Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)</span>
<span id="LC30" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)</span>
<span id="LC31" class="line" lang="plaintext">|<2>| Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)</span>
<span id="LC32" class="line" lang="plaintext">|<2>| Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)</span>
<span id="LC33" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)</span>
<span id="LC34" class="line" lang="plaintext">|<2>| Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)</span>
<span id="LC35" class="line" lang="plaintext">|<2>| Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)</span>
<span id="LC36" class="line" lang="plaintext">|<2>| Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)</span>
<span id="LC37" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)</span>
<span id="LC38" class="line" lang="plaintext">|<2>| Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)</span>
<span id="LC39" class="line" lang="plaintext">|<2>| Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)</span>
<span id="LC40" class="line" lang="plaintext">|<2>| Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)</span>
<span id="LC41" class="line" lang="plaintext">|<2>| Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)</span>
<span id="LC42" class="line" lang="plaintext">|<2>| Advertizing version 3.4</span>
<span id="LC43" class="line" lang="plaintext">|<2>| Advertizing version 3.3</span>
<span id="LC44" class="line" lang="plaintext">|<2>| Advertizing version 3.2</span>
<span id="LC45" class="line" lang="plaintext">|<2>| Advertizing version 3.1</span>
<span id="LC46" class="line" lang="plaintext">|<2>| HSK[0x564ec2cf90b0]: sent server name: 'vpn.gateway.url'</span>
<span id="LC47" class="line" lang="plaintext">*** Fatal error: A TLS fatal alert has been received.</span>
<span id="LC48" class="line" lang="plaintext">*** Received alert [40]: Handshake failed</span></code></pre>
<h2>
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p>3.6.5 -> fails
3.5.18 -> success (but outdated in Fedora repos)</p>
<h2>
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p>Fedora 29</p>
<h2>
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p>Steps to Reproduce:</p>
<ul>
<li>find an anyconnect vpn gateway v 4.6 that uses certs to user auth.</li>
<li>run the above commands</li>
</ul>
<h2>
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p>Handshake does not work</p>
<h2>
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p>Handshake does works</p>
<p>I am aware, that this seems to be a tricky one, so if you need anything from my side -> let me know</p>
<p>Thanks in advance</p></details>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/677">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/0b69f4b31ef117bee629c6fd72da9b8c/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/677"}}</script>
</p>
</div>
</body>
</html>