Public bug reported: Works in Ubuntu 18.04, fails in 18.10 and the upcoming 19.04. Appears to be a problem with a cipher no longer included, maybe? See here, as it's not just ubuntu that is having this issue:
https://www.reddit.com/r/Fedora/comments/a6hc0c/help_networkmanger_w_openconnect_gives_a_tls_error/ I've removed information about the VPN host. I can disclose that it is a Cisco AnyConnect VPN service. OpenConnect output: POST https://vpn-host.tld/ Attempting to connect to server xxxxxx:443 Connected to xxxxxx:443 SSL negotiation with vpn-host.tld SSL connection failure: A TLS fatal alert has been received. Failed to open HTTPS connection to vpn-host.tld gnutls-cli output: $ gnutls-cli -V vpn-host.tld Processed 128 CA certificate(s). Resolving 'vpn-host.tld:443'... Connecting to 'xxxxxx:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed $ gnutls-cli -d 2 vpn-host.tld Processed 128 CA certificate(s). Resolving 'vpn-host.tld:443'... Connecting to 'xxxxxx:443'... |<2>| added 6 protocols, 29 ciphersuites, 18 sig algos and 9 groups into priority list |<2>| Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256) |<2>| Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256) |<2>| Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM) |<2>| Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM) |<2>| Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM) |<2>| Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM) |<2>| Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1) |<2>| Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384) |<2>| Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305) |<2>| Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM) |<2>| Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) |<2>| Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256) |<2>| Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM) |<2>| Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) |<2>| Advertizing version 3.4 |<2>| Advertizing version 3.3 |<2>| Advertizing version 3.2 |<2>| Advertizing version 3.1 |<2>| HSK[0x5649deb82390]: sent server name: 'vpn-host.tld' *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed ** Affects: kinit (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822467 Title: OpeonConnect fails with generic TLS Fatal Alert Error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kinit/+bug/1822467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
