Bug#980513: libgnutls30: _gnutls_sort_clist Assertion with openconnect GlobalProtect VPN

Thu Jan 21 01:29:25 GMT 2021

I've never used gnutls-cli before, and I'm not at all sure what 
openconnect is doing internally to match that behaviour, but it appears 
that I can reproduce w/ -cli

$ gnutls-cli "<url>"
Processed 126 CA certificate(s).
Resolving '<url>:443'...
Connecting to '<ip>:443'...
- Certificate type: X.509
- Got a certificate list of 7 certificates.
- Certificate[0] info:
  - subject 
`CN=<url>,OU=<ou>,O=<o>,street=<street>,L=<city>,ST=<state>,postalCode=<post>,C=US', 
issuer `CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann 
Arbor,ST=MI,C=US', serial <serial>, RSA key 2048 bits, signed using 
RSA-SHA256, activated `2020-08-07 00:00:00 UTC', expires `2021-08-07 
23:59:59 UTC', pin-sha256="<pin>="
     Public Key ID:
         <id SHAs>
     Public Key PIN:
         <pin SHA>

- Certificate[1] info:
  - subject `CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann 
Arbor,ST=MI,C=US', issuer `CN=USERTrust RSA Certification 
Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', 
serial <serial>, RSA key 2048 bits, signed using RSA-SHA384, activated 
`2014-10-06 00:00:00 UTC', expires `2024-10-05 23:59:59 UTC', 
pin-sha256="<pin>="
- Certificate[2] info:
  - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST 
Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AAA Certificate 
Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB', 
serial <serial>, RSA key 4096 bits, signed using RSA-SHA384, activated 
`2019-03-12 00:00:00 UTC', expires `2028-12-31 23:59:59 UTC', 
pin-sha256="<pin>"
- Certificate[3] info:
  - subject `CN=AAA Certificate Services,O=Comodo CA 
Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AAA 
Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater 
Manchester,C=GB', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1 
(broken!), activated `2004-01-01 00:00:00 UTC', expires `2028-12-31 
23:59:59 UTC', pin-sha256="<pin>"
- Certificate[4] info:
  - subject `CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann 
Arbor,ST=MI,C=US', issuer `CN=USERTrust RSA Certification 
Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', 
serial <serial>, RSA key 2048 bits, signed using RSA-SHA384, activated 
`2014-10-06 00:00:00 UTC', expires `2024-10-05 23:59:59 UTC', 
pin-sha256="<pin>"
- Certificate[5] info:
  - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST 
Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AAA Certificate 
Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB', 
serial <serial>, RSA key 4096 bits, signed using RSA-SHA384, activated 
`2019-03-12 00:00:00 UTC', expires `2028-12-31 23:59:59 UTC', 
pin-sha256="<pin>"
- Certificate[6] info:
  - subject `CN=AAA Certificate Services,O=Comodo CA 
Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AAA 
Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater 
Manchester,C=GB', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1 
(broken!), activated `2004-01-01 00:00:00 UTC', expires `2028-12-31 
23:59:59 UTC', pin-sha256="<pin>"
gnutls-cli: ../../../lib/x509/common.c:1794: _gnutls_sort_clist: 
Assertion `k == clist_size' failed.
Aborted

Let me know if you need this run with different arguments.

On 1/20/21 3:12 AM, Andreas Metzler wrote:
> On 2021-01-20 Matt <tardarsauce at gmail.com> wrote:
>> Package: libgnutls30
>> Version: 3.7.0-5
> [...]
>> After an upgrade to 3.7.0-5, I can no longer connect to a
>> GlobalProtect VPN with openconnect.
>> This is the output from a connection attempt (with identifying
>> information removed):
>> $ sudo openconnect --protocol gp -u <username> <url>
>> POST https://<url>/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
>> Connected to <ip>:443
>> SSL negotiation with <url>
> [...]
>
> Can this be reproduced with gnutls-cli?
>
> cu Andreas