Use TLS1.3 with Ocserv anyconnect on Debian

Edwardon

I already use ocserv Anyconnect on my Debian Bust for a couple of months. Now I want to try to upgrade Ocserv to support TLS1.3, So I decided to have a try and below are my result ~~ Enjoy

Upgrade your gnutls-bin to 3.6.7 

// Install related dependencies 
// Updated June 23,2019

apt install libgnutls-dane0=3.6.7-4 libgnutls30=3.6.7-4 libunbound8=1.9.0-2 libc6=2.28-10 libhogweed4=3.4.1-1 libidn2-0=2.0.5-1 libnettle6=3.4.1-1 libp11-kit0=0.23.15-2 libtasn1-6=4.13-3 libunistring2=0.9.10-1

// Make sure `gnutls-bin` is up to date
apt upgrade gnutls-bin

If you got libc-bin error here are my solution

ERROR: 
dpkg: warning: 'ldconfig' not found in PATH or not executable.
dpkg: 2 expected program(s) not found in PATH or not executable.
NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.

SOLUTION:
nano /root/.bashrc

// inside .bashrc last line paste this 
export PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/bin

// Save and restart
source /root/.bashrc

// Resintall libc-bin
wget http://ftp.jp.debian.org/debian/pool/main/g/glibc/libc-bin_2.24-11+deb9u4_amd64.deb

dpkg -x libc-bin*.deb unpackdir/
cd unpackdir/sbin/
cp ldconfig /sbin/
apt install libc-bin

apt policy libc6 // If it said you need to have version >= 2.2x
// do this

apt install libc6=2.28-10

Install latest ocserv version 

// check version 
apt policy ocserv
// return
ocserv:
  Installed: 0.12.2-3
  Candidate: 0.12.2-3
  Version table:
 *** 0.12.2-3 100
         90 http://deb.debian.org/debian sid/main amd64 Packages
         90 http://deb.debian.org/debian unstable/main amd64 Packages
        100 /var/lib/dpkg/status
     0.12.2-3~bpo9+1 100
        100 http://deb.debian.org/debian stretch-backports/main amd64 Packages

// Install with latest version
apt install ocserv=0.12.2-3

// Check installed version
ocserv -v 
// return
ocserv 0.12.2
Compiled with: seccomp, tcp-wrappers, oath, radius, gssapi, PAM, PKCS#11, AnyConnect
GnuTLS version: 3.6.7

Check your TLS connection

// Use openssl to test
openssl s_client -connect myvon.com:443 -tls1_3

// return 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = xxx.com
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3743 bytes and written 589 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Use Openconnect client on Mac

// installation
brew install openconnect

// Export 
export LDFLAGS="-L/usr/local/opt/libffi/lib"

// connection
sudo openconnect <vpn address:port>

Use Openconenct GUI client on Windows

// Download GUI client for Windows
https://github.com/openconnect/openconnect-gui/releases/latest

Cisco anyconnect client

CN route

  1. https://github.com/CNMan/ocserv-cn-no-route/tree/master/tmp

References

  1. https://gitlab.com/openconnect/ocserv/issues/207
  2. http://www.linuxfromscratch.org/blfs/view/svn/postlfs/gnutls.html
  3. https://sourcedigit.com/23234-apt-get-install-specific-version-of-package-ubuntu-apt-get-list/
  4. https://unix.stackexchange.com/questions/160019/dpkg-cannot-find-ldconfig-start-stop-daemon-in-the-path-variable
  5. https://visualplanet.org/blog/?p=427
  6. https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt
  7. https://github.com/johnshajiang/blog/wiki/Exploring-TLS-1.3-with-OpenSSL-1.1.1
  8. https://segmentfault.com/a/1190000011530974
  9. https://painso.com/2016/06/03/ocserv-install-usage/