{"id":3215,"date":"2019-04-27T19:55:32","date_gmt":"2019-04-27T11:55:32","guid":{"rendered":"https:\/\/www.ookangzheng.com\/?p=3215"},"modified":"2020-09-05T13:36:28","modified_gmt":"2020-09-05T05:36:28","slug":"use-tls1-3-with-ocserv-anyconnect-on-debian","status":"publish","type":"post","link":"https:\/\/www.ookangzheng.com\/use-tls1-3-with-ocserv-anyconnect-on-debian\/","title":{"rendered":"Use TLS1.3 with Ocserv anyconnect on Debian"},"content":{"rendered":"\n<p>I already use <code>ocserv<\/code> Anyconnect on my Debian Bust for a couple of months. Now I want to try to upgrade Ocserv to support TLS1.3, So I decided to have a try and below are my result ~~ Enjoy<\/p>\n\n\n\n<p><strong>Upgrade your <\/strong><code><strong>gnutls-bin<\/strong><\/code><strong> to 3.6.7 <\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ Install related dependencies \n\/\/ Updated June 23,2019\n\napt install libgnutls-dane0=3.6.7-4 libgnutls30=3.6.7-4 libunbound8=1.9.0-2 libc6=2.28-10 libhogweed4=3.4.1-1 libidn2-0=2.0.5-1 libnettle6=3.4.1-1 libp11-kit0=0.23.15-2 libtasn1-6=4.13-3 libunistring2=0.9.10-1\n\n\/\/ Make sure `gnutls-bin` is up to date\napt upgrade gnutls-bin\n<\/code><\/pre>\n\n\n\n<p><strong>If you got <\/strong><code><strong>libc-bin error<\/strong><\/code><strong> here are my solution<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ERROR: \ndpkg: warning: 'ldconfig' not found in PATH or not executable.\ndpkg: 2 expected program(s) not found in PATH or not executable.\nNB: root's PATH should usually contain \/usr\/local\/sbin, \/usr\/sbin and \/sbin.\n\nSOLUTION:\nnano \/root\/.bashrc\n\n\/\/ inside .bashrc last line paste this \nexport PATH=\/sbin:\/bin:\/usr\/bin:\/usr\/sbin:\/usr\/local\/sbin:\/usr\/local\/bin\n\n\/\/ Save and restart\nsource \/root\/.bashrc\n\n\/\/ Resintall libc-bin\nwget http:\/\/ftp.jp.debian.org\/debian\/pool\/main\/g\/glibc\/libc-bin_2.24-11+deb9u4_amd64.deb\n\ndpkg -x libc-bin*.deb unpackdir\/\ncd unpackdir\/sbin\/\ncp ldconfig \/sbin\/\napt install libc-bin\n\napt policy libc6 \/\/ If it said you need to have version >= 2.2x\n\/\/ do this\n\napt install libc6=2.28-10<\/code><\/pre>\n\n\n\n<p><strong>Install latest <\/strong><code><strong>ocserv<\/strong><\/code><strong> version <\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ check version \napt policy ocserv\n\/\/ return\nocserv:\n  Installed: 0.12.2-3\n  Candidate: 0.12.2-3\n  Version table:\n *** 0.12.2-3 100\n         90 http:\/\/deb.debian.org\/debian sid\/main amd64 Packages\n         90 http:\/\/deb.debian.org\/debian unstable\/main amd64 Packages\n        100 \/var\/lib\/dpkg\/status\n     0.12.2-3~bpo9+1 100\n        100 http:\/\/deb.debian.org\/debian stretch-backports\/main amd64 Packages\n\n\/\/ Install with latest version\napt install ocserv=0.12.2-3\n\n\/\/ Check installed version\nocserv -v \n\/\/ return\nocserv 0.12.2\nCompiled with: seccomp, tcp-wrappers, oath, radius, gssapi, PAM, PKCS#11, AnyConnect\nGnuTLS version: 3.6.7<\/code><\/pre>\n\n\n\n<p><strong>Check your TLS connection<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ Use openssl to test\nopenssl s_client -connect myvon.com:443 -tls1_3\n\n\/\/ return \nCONNECTED(00000003)\ndepth=2 O = Digital Signature Trust Co., CN = DST Root CA X3\nverify return:1\ndepth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3\nverify return:1\ndepth=0 CN = xxx.com\nPeer signing digest: SHA256\nPeer signature type: RSA-PSS\nServer Temp Key: ECDH, P-256, 256 bits\n---\nSSL handshake has read 3743 bytes and written 589 bytes\nVerification: OK\n---\nNew, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384\nServer public key is 4096 bit\nSecure Renegotiation IS NOT supported\nCompression: NONE\nExpansion: NONE\nNo ALPN negotiated\nEarly data was not sent\nVerify return code: 0 (ok)<\/code><\/pre>\n\n\n\n<p><strong>Use Openconnect client on Mac<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ installation\nbrew install openconnect\n\n\/\/ Export \nexport LDFLAGS=\"-L\/usr\/local\/opt\/libffi\/lib\"\n\n\/\/ connection\nsudo openconnect &lt;vpn address:port><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"621\" height=\"309\" src=\"https:\/\/www.ookangzheng.com\/wp-content\/uploads\/2019\/04\/image-4-621x309.png\" alt=\"\" class=\"wp-image-3216\"\/><\/figure>\n\n\n\n<p><strong>Use Openconenct GUI client on Windows<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ Download GUI client for Windows\nhttps:&#47;&#47;github.com\/openconnect\/openconnect-gui\/releases\/latest<\/code><\/pre>\n\n\n\n<p><strong>Cisco anyconnect client<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Windows –&gt; https:\/\/www.cat2012.com\/download\/anyconnect\/anyconnect-win-4.7.02036.msi<\/li><li>Android –&gt; https:\/\/www.cat2012.com\/download\/anyconnect\/anyconnect.android.4.7.00150.apk<\/li><li>Mac OSX –&gt; https:\/\/www.cat2012.com\/download\/anyconnect\/anyconnect-macos-4.7.02036.dmg<\/li><li>Linux 64bit –&gt; https:\/\/www.cat2012.com\/download\/anyconnect\/anyconnect-linux64-4.7.02036.tar.gz<\/li><li><a href=\"http:\/\/www.tms.url.tw\/vpn\/mac-osx1012anyconnect--fb-.html\">http:\/\/www.tms.url.tw\/vpn\/mac-osx1012anyconnect–fb-.html<\/a><\/li><li><a href=\"http:\/\/www.tms.url.tw\/vpn\/windows-anyconnect-app-.html\">http:\/\/www.tms.url.tw\/vpn\/windows-anyconnect-app-.html<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">CN route<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>https:\/\/github.com\/CNMan\/ocserv-cn-no-route\/tree\/master\/tmp<\/li><\/ol>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>References<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><a href=\"https:\/\/gitlab.com\/openconnect\/ocserv\/issues\/207\">https:\/\/gitlab.com\/openconnect\/ocserv\/issues\/207<\/a><\/li><li><a href=\"http:\/\/www.linuxfromscratch.org\/blfs\/view\/svn\/postlfs\/gnutls.html\">http:\/\/www.linuxfromscratch.org\/blfs\/view\/svn\/postlfs\/gnutls.html<\/a><\/li><li><a href=\"https:\/\/sourcedigit.com\/23234-apt-get-install-specific-version-of-package-ubuntu-apt-get-list\/\">https:\/\/sourcedigit.com\/23234-apt-get-install-specific-version-of-package-ubuntu-apt-get-list\/<\/a><\/li><li><a href=\"https:\/\/unix.stackexchange.com\/questions\/160019\/dpkg-cannot-find-ldconfig-start-stop-daemon-in-the-path-variable\">https:\/\/unix.stackexchange.com\/questions\/160019\/dpkg-cannot-find-ldconfig-start-stop-daemon-in-the-path-variable<\/a><\/li><li><a href=\"https:\/\/visualplanet.org\/blog\/?p=427\">https:\/\/visualplanet.org\/blog\/?p=427<\/a><\/li><li><a href=\"https:\/\/www.linuxbabe.com\/ubuntu\/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt\">https:\/\/www.linuxbabe.com\/ubuntu\/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt<\/a><\/li><li><a href=\"https:\/\/github.com\/johnshajiang\/blog\/wiki\/Exploring-TLS-1.3-with-OpenSSL-1.1.1\">https:\/\/github.com\/johnshajiang\/blog\/wiki\/Exploring-TLS-1.3-with-OpenSSL-1.1.1<\/a><\/li><li><a href=\"https:\/\/segmentfault.com\/a\/1190000011530974\">https:\/\/segmentfault.com\/a\/1190000011530974<\/a><\/li><li><a href=\"https:\/\/painso.com\/2016\/06\/03\/ocserv-install-usage\/\">https:\/\/painso.com\/2016\/06\/03\/ocserv-install-usage\/<\/a><\/li><\/ol>\n","protected":false},"excerpt":{"rendered":"<p>I already use ocserv Anyconnect on my Debian Bust for a couple of months. Now I want to try to&hellip;<\/p>\n","protected":false},"author":1,"featured_media":3217,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37,39,32],"tags":[],"class_list":["post-3215","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-mac","category-technology"],"_links":{"self":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts\/3215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/comments?post=3215"}],"version-history":[{"count":0,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts\/3215\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/media\/3217"}],"wp:attachment":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/media?parent=3215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/categories?post=3215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/tags?post=3215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}