Ubuntu
openconnect package

TPM support

Bug #1649227 reported by dwmw2
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openconnect (Ubuntu)
Fix Released
Undecided
Mike Miller

Bug Description

Please enable TPM and Yubikey support in the OpenConnect build.

$ openconnect -c .key.pem -k .key.tss vpn.example.com
POST https://vpn.example.com/
Attempting to connect to server [fec0::1]:443
This version of OpenConnect was built without TPM support
Loading certificate failed. Aborting.

Revision history for this message
Mike Miller (mtmiller) wrote :

I can certainly build with libpcsclite for Yubikey support.

Correct me if I'm wrong, but it looks to me like libtspi links with libssl, so we'd want to avoid linking that into libopenconnect.

Moreover, there is some OpenSSL 1.0 → 1.1 transition trouble at the moment, and the state of libtspi in Debian looks a little unstable at this point, so I'd rather avoid adding a dependency on it this close to the freeze.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openconnect (Ubuntu):
status: New → Confirmed
Revision history for this message
Mike Miller (mtmiller) wrote :

Yubikey support is enabled in the packaging repo, will be in the next release, either 7.07-3 or 7.08-1, whichever comes first.

https://anonscm.debian.org/cgit/collab-maint/openconnect.git/commit/?id=0649b9a1e1cbc3965a8847ff0c90653c1f3c4b9c

Changed in openconnect (Ubuntu):
assignee: nobody → Mike Miller (mtmiller)
status: Confirmed → In Progress
Revision history for this message
dwmw2 (dwmw2) wrote :

Isn't that true of Kerberos too? Or do you not build with GSSAPI support either? I really ought to add that to 'openconnect --version' output.

Perhaps when addressing the OpenSSL 1.1 build problems, we could port it to GnuTLS instead?

Revision history for this message
Mike Miller (mtmiller) wrote :

We do build with GSSAPI (as of 7.07-1), but I don't see any direct dependency from Kerberos to OpenSSL on Debian or Ubuntu systems, only if the (non-default) krb5-k5tls or krb5-pkinit plugins are installed.

So yeah, for now 7.08-1 will have Yubikey but still no TPM support.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openconnect - 7.08-1

---------------
openconnect (7.08-1) unstable; urgency=medium

  * New upstream version 7.08
    - Fix MTU detection (Closes: #847135)
  * d/libopenconnect5.{shlibs,symbols}: Update for new release
  * d/p/juniper-content-length.patch: Drop, applied upstream
  * d/p/fix-tests-shell-syntax.patch: Fix test suite shell bashisms
  * d/p/softhsm2-module-workaround.patch: Hard-code Debian location of
    libsofthsm2.so
  * d/control:
    - Add Build-Depends: libsocket-wrapper, libuid-wrapper, ocserv, openssl, and
      softhsm2 for test suite
    - Add Build-Depends: libpcsclite-dev to enable Yubikey support
      (LP: #1649227)
    - Add Build-Depends: dpkg-dev (>= 1.17.14) for build profiles support
    - Drop obsolete Build-Depends: liboath-dev
    - Reorder fields according to "cme fix dpkg-control"
  * Bump debhelper compatibility level to 10
  * Drop explicit dependency on dh-autoreconf and disabling silent rules, now
    enabled by default

 -- Mike Miller <email address hidden> Sat, 24 Dec 2016 10:50:15 -0800

Changed in openconnect (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.