[BUG] Fedora 36 - Openconnect csd-post gives empty document and indefinitely connects

[Meister1593]

Describe the bug
Openconnect csd post wrapper used for anyconnect vpn service fails unexpectedly with empty document returned from vpn.

To Reproduce
I'm not sure if it's possible to replicate locally (requires vpn credentials) but i will at least try to replicate it the way i did

1. Install Silverblue 36
2. In terminal - sudo openconnect --user=user --csd-wrapper=/usr/libexec/openconnect/csd-post.sh hostname
3. It will repeatedly try to connect and never actually establish vpn connection. It will also output

-:1.1: Document is empty

^
-:1.1: Document is empty

^

while trying to connect (only once)
Expected behavior
Openconnect has to establish connection and give login form to proceed further

OS version:

State: idle
BootedDeployment:
● fedora:fedora/36/x86_64/silverblue
                   Version: 36.20220508.0 (2022-05-08T00:42:01Z)
                BaseCommit: dd4ac38b4030e0192777eef2c243f1b2a777f6d6526fd52b84f0a2ec2984b6bb
              GPGSignature: Valid signature by 53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4
       RemovedBasePackages: firefox 100.0-2.fc36 gnome-software gnome-software-rpm-ostree 42.0-4.fc36 vim-minimal 2:8.2.4845-1.fc36
           LayeredPackages: corectrl distrobox fish fzf gnome-tweaks google-roboto-fonts langpacks-en materia-gtk-theme neofetch neovim openssl python-pip rpmfusion-free-release rpmfusion-nonfree-release steam-devices xdotool xinput
                            xmlstarlet-1.6.1-18.fc36.x86_64
             LocalPackages: logmein-hamachi-2.1.0.203-1.x86_64

Additional context
I recently moved from Kinoite 35 and there vpn worked perfectly fine.
I pinned that deployment in case something like this happened and on fresh user (i cleared configs and home data before installing silverblue) my own user before installing, kinoite 35 indeed works just fine with this vpn.

On silverblue i tried downgrading openconnect to the same version as on kinoite 35, but it still didn't work and had the same problem.
My assumption is that something is wrong with certificates but there no errors about them, even if i place set -x in csd-post.sh (that i placed in home folder)

Also, there is xmlstarlet installed via overlays - this was kinda required for csd-post.sh script, it has fallback to use it without xmlstarlet but it also says that it might not work without it

[Meister1593]

Reverting to b816b72d315ef8cbf6973095cdb9f4a72182ed0d3ff8c9ac33fb088b77b77ce6 ostree commit from 19th February does not solve the issue too (it has openconnect 8.10-8)
I did it like so:
sudo ostree pull fedora:fedora/36/x86_64/silverblue --commit-metadata-only --depth=150
rpm-ostree deploy b816b72d315ef8cbf6973095cdb9f4a72182ed0d3ff8c9ac33fb088b77b77ce6

[Meister1593]

Reverting to least available commit 186e73f4d1fd8cefa68a065c57d8c6bbbb9cc91cc4cb19707a91d488ddc17927 (from February 9th) does not fix issue either.

[Meister1593]

Reverting to silverblue 35 (a49552f262d00a173d1e7e8d57e2afdad348e0974d1d372e92884a1679adf8e8) fixes issue completely.
I will stay on 35 until i will have some sort of fix/workaround on 36, but i will keep 36 pinned for testing

[tpopela]

@Meister1593 would you mind reporting a bug in https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora against the openconnect component? I don't think that we will be able to help you here (we don't have the expertise).

[Meister1593]

@Meister1593 would you mind reporting a bug in https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora against the openconnect component? I don't think that we will be able to help you here (we don't have the expertise).

Opened report on bugzilla

[travier]

Closing this one as it has been reported upstream and will be tracked there and there is a workaround in https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/comments/6.

[drudoi]

From https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1968467/comments/6 the next works for me:

$ cat > /tmp/openssl.conf <<EOF
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
EOF

$ sudo OPENSSL_CONF=/tmp/openssl.conf openconnect <gateway> --csd-wrapper=/usr/lib/openconnect/csd-post.sh [other options]