SSL handshake failed - VPN SSL broken in 22.04

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1960268/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

It's not related to a package cause it seems a generic SSL problem which was not occurring before upgrading to 22.04.
I suspect something is broken in QT

I see 22.04 has openssl3, maybe that's the culprit ?

apport information

apport information

apport information

apport information

apport information

apport information

The solution here https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1952977 solves the problem

https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1952977/+attachment/5544787/+files/libqt5network5_5.15.2+dfsg-13_amd64.deb

/usr/lib/x86_64-linux-gnu/libQt5Network.so.5.15.2
replacing that file with the old version makes stuff work again

Remmina appimage works correctly, so a workaround is available

@suoko: could you retry with the current version from jammy (22.04)? The Qt packages have been updated a couple of weeks ago with better OpenSSL 3 support, which hopefully fixes your issue?

@simon
unfortunately the but is still there

Could you clarify what exactly you are trying to achieve? You mention both a VPN and the RDP protocol. Knowing exactly which software you're using could help us track down some more logs to know more about the failure. Without more information there isn't much we can do.

Clarify???
I claerly mention global protect VPN, it's a closed software from Palo alto, and it doesn't work.

I'm sorry, I still don't understand. Is Global Protect VPN a piece of software that runs on your Ubuntu install? Do you use Remmina on top of that, or is it a potential replacement? Which application is the one emitting the handshake error?

 Global Protect VPN is a VPN client (like openvpn) which connects your desktop to a VPN.
After you're connected you can acccess some remote PCs via rdp, and I used to use remmina to do that

Now with latest update to x86_64-linux-gnu/libQt5Network.so.5.15.3 there's no hack available anymore

we have quite the same problem in 22.04

we use openvpn client with PKI

Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11_terminate - entered
Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11h_terminate entry
Apr 13 16:51:56 openvpn[12898]: PKCS#11: Terminating openssl
Apr 13 16:51:56 openvpn[12898]: PKCS#11: _pkcs11h_openssl_terminate
Apr 13 16:51:56 openvpn[12898]: PKCS#11: Removing providers
Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11h_removeProvider entry reference='/usr/lib/libeToken.so'
Apr 13 16:51:56 openvpn[12898]: PKCS#11: Removing provider '/usr/lib/libeToken.so'
Apr 13 16:51:56 vpn-manager[12866]: recv: >STATE:1649861516,EXITING,init_instance,,,,,
Apr 13 16:51:56 openvpn[12898]: PKCS#11: _pkcs11h_slotevent_notify entry
Apr 13 16:51:56 openvpn[12898]: PKCS#11: _pkcs11h_slotevent_notify return
Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11h_removeProvider return rv=0-'CKR_OK'
Apr 13 16:51:56 openvpn[12898]: PKCS#11: Releasing sessions
Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55c6e7e9a0b0
Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11h_token_freeTokenId return
Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=(nil)
Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return
Apr 13 16:51:56 openvpn[12898]: PKCS#11: Terminating slotevent
Apr 13 16:51:56 openvpn[12898]: PKCS#11: _pkcs11h_slotevent_terminate entry
Apr 13 16:51:56 openvpn[12898]: PKCS#11: _pkcs11h_slotevent_terminate return
Apr 13 16:51:56 openvpn[12898]: PKCS#11: Marking as uninitialized
Apr 13 16:51:56 openvpn[12898]: PKCS#11: pkcs11_terminate - return

but TLS seems to be expected SSLv3

Apr 13 16:51:54 openvpn[12898]: Incoming Ciphertext -> TLS
Apr 13 16:51:54 openvpn[12898]: SSL state (connect): SSLv3/TLS read server certificate
Apr 13 16:51:54 openvpn[12898]: SSL alert (write): fatal: internal error
Apr 13 16:51:54 openvpn[12898]: OpenSSL: error:0A0C0103:SSL routines::internal error
Apr 13 16:51:54 openvpn[12898]: TLS_ERROR: BIO read tls_read_plaintext error
Apr 13 16:51:54 openvpn[12898]: TLS Error: TLS object -> incoming plaintext read error
Apr 13 16:51:54 openvpn[12898]: TLS Error: TLS handshake failed

dpkg -l | grep openvpn
ii network-manager-openvpn 1.8.18-1 amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 1.8.18-1 amd64 network management framework (OpenVPN plugin GNOME GUI)
ii openvpn 2.5.5-1ubuntu3 amd64 virtual private network daemon

dpkg -l | grep openssl
ii libengine-pkcs11-openssl:amd64 0.4.11-1build3 amd64 OpenSSL engine for PKCS#11 modules
ii libxmlsec1-openssl:amd64 1.2.33-1build2 amd64 Openssl engine for the XML security library
ii openssl 3.0.2-0ubuntu1 amd64 Secure Sockets Layer toolk...

uname -a
Linux yd-vmc54aadcd 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
dpkg -l | grep safenet
ii safenetauthenticationclient-core 10.7.77-1ubuntu1 amd64 SAC PKCS#11 middleware

we use gnome not kde

ii gnome-desktop3-data 42.0-1ubuntu1 all Common files for GNOME desktop apps

Hi!

Could you run the follwoing command on your server certificate?

openssl x509 -in $SERVER_CRT -text | grep -i algorithm

With the new OpenSSL version, older certificates with SHA1 digests are
now invalid by default.

sorry for the delay
openssl x509 -in olps.crt -text | grep -i algorithm
        Signature Algorithm: sha256WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: sha256WithRSAEncryption

@tallagrand, the certificate looks correct. I think your issue might be with the smartcard support, so either in opensc or openvpn.

Either way, could you open a new issue? This is not the same problem as OP.

@suoko please contact your VPN provider, as their client might not be compatible with OpenSSL 3.0. There isn't much we can do on our end.

I find this solution:

0) sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0 &&
pip3 install https://github.com/dlenski/gp-saml-gui/archive/master.zip

1) Create ~/ssl.conf

openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation

2) Create and run GlobalProtectPortal.sh

eval $(OPENSSL_CONF=~/ssl.conf gp-saml-gui --portal --clientos=Windows YOUR_PORTAL_URL)

2.1) Search the results of above command for "SAML response converted to OpenConnect command line invocation:" and run it

3) Search the results of above command for one gateway

4) Create and run /usr/local/bin/GlobalProtectGateway.sh

eval $(OPENSSL_CONF=~/ssl.conf gp-saml-gui --gateway --clientos=Windows ONE_OF_THE_GATEWAYS_YOU_FOUND_ABOVE)

5) Search the results of above command for:

SAML response converted to OpenConnect command line invocation:

   echo SOME_COOKIE_TOKEN |
       sudo openconnect --protocol=gp --user=YOUR_USERNAME --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin ONE_OF_THE_GATEWAYS

6) Run the above command line invocation

I'm seeing the same issue since upgrading to 22.04. Running it trough the command line as indicated above works fine, so it's probably not an issue with the VPN provider.

Actually, it *is* an issue with the VPN provider. The OpenSSL developers
have made a deliberate decision not to enable unsecure renegotiation
anymore, see this commit for more details:

https://github.com/openssl/openssl/commit/72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3

Note that this change is mentioned in the upstream migration guide:

https://www.openssl.org/docs/manmaster/man7/migration_guide.html

The gpclient GUI works too.
OPENSSL_CONF=~/ssl.conf gpclient
Enter a valid gateway URL instead of the portal URL

The solution given by @suoko works fine. Thank you so much!!!!!!!!!!!!!

I upgraded 21.10 to 22.04 and openssl 3 "broke" globalprotect 6.0.0.44.
I was able to follow suoko's solution as-is until step #5, it would never return a value, I couldn't successfully finish authenticating. I installed gpclient and had the same issue (authentication error), ultimately I went the route of degrading openssl 3 system wide, enabling UnsafeLegacyRenegotiation via system's openssl.cnf, e.g.:

sudo pico /usr/lib/ssl/openssl.cnf

[openssl_init]
+ssl_conf = ssl_sect

# add the following right beneath it:
[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

And a reboot later globalprotect is working again. I assume the real fix is for paloalto to address this in new release of globalprotect.

I use this version: PanGPLinux-5.3.2-c3

To make it work for me in this version, I modified the configuration file: /usr/lib/ssl/openssl.cnf

and comment the following section:

---------------------------------------------

# [openssl_init]
# providers = provider_sect

---------------------------------------------

and added this new section just below the section I commented on earlier:

---------------------------------------------

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

---------------------------------------------

Reboot globalprotect and ready!

It is very similar to the solution of @kelly-schoenhofen, Thanks you!!

Same issue:

PanGPLinux-5.3.2-c3 broke after upgrade to Ubuntu 22.04

above solution from Fernando worked for me.

thanks @fru1z and @kelly-schoenhofen

the update on https://launchpad.net/ubuntu/+source/wpa/2:2.10-6ubuntu1 which allows legacy renegociation by default might fix some of the issues reported on this bug

[Expired for openssl (Ubuntu) because there has been no activity for 60 days.]

Had the same issue, the suggestion from Fernando Ruiz (fru1z) fixed my problem as well:

Edited /usr/lib/ssl/openssl.cnf
And just added to the system_default_sect section
Options = UnsafeLegacyRenegotiation

I am using Linux Mint 21 (vanessa)

Hello there !

Same issue for me on Ubuntu 22.04, the suggestion from Fernando Ruiz (fru1z) fixed my problem too.

Edited /usr/lib/ssl/openssl.cnf and just added :

[system_default_sect]
Options = UnsafeLegacyRenegotiation

Hi everyone!

Same issue on Ubuntu Server 22.04, unfortunately the suggestion from Fernando Ruiz (fru1z) doesn't work.
When I am trying to connect from local network everything is ok, I am connected on VPN, but when I am trying from another network doesn't work.
See attachment.

@dragu-stelian, you do not have the same issue. Looking at your logs, it seems your client cannot reach your server over the network. This is not related to openssl. If it were, the issue would manifest no matter from where you're attempting to connect.

I have upgraded to Ubuntu 22.04 .1 LTS and have GlobalProtect 5.1.6-6.

I followed @fru1z instructions and fixed the issue. Thanks!

I too have upgraded to Ubunutu 22.04 and have GlobalProtect 5.2.6-18 and @frulz instructions above helped me correct the issue. Thank you!

Hopefully PAN will get this fixed in an updated version.

The comment by @fru1z (#32) worked for me on Ubuntu 22.04 with GlobalProtect 5.3.1-36. Be sure to comment out the line mentioned in the instructions. Adding the "Options = UnsafeLegacyRenegotiation" line by itself did not work for me.

If anyone arrived here looking for a solution for Fedora, here it is:

Edit /etc/crypto-policies/back-ends/opensslcnf.config
Add this line before [openssl_init]:
Options = UnsafeLegacyRenegotiation

If you're wondering why this is needed, take your GlobalProtect portal address and check it at https://www.ssllabs.com/ssltest
"There is no support for secure renegotiation" is what you're working around.

I'm running Palo Alto Networks GlobalProtect 6.0.4-28 (UI version) on Fedora Linux 37 (Workstation Edition).

Can confirm that fix by fru1z #32 works with GlobalProtect 6.0.5-12 running on 22.04! Thanks!

Workaround mentioned in #32 by fru1z works like a charm on several Ubuntu 22.04 Gnome-Shell/Wayland installs (.deb install of GlobalProtect_UI_deb-6.0.0.1-44.deb), thanks for sharing it!

There is an update in the following link and it worked for me:
https://devicetests.com/fix-global-protect-vpn-ssl-handshake-failed-error-ubuntu

The instructions are easy to follow.

I confirm workaround mentioned in #32 works on debian 12 with GlobalProtect UI version 6.1.2-82