Since upgrading to Ubuntu 8.10 (Intrepid) I had been having trouble with my SSL VPN connectivity. Rather than sit down and figure it out I chose to fire up a virtual box instance of 8.04 and use it to get work done. Finally, tonight, I hit the tipping point and decided to figure this out. First I discovered debug mode with the SSL client. You can enable it on the command line by running
That will put a log in /var/log/AvConnect.log with lots of debugging goodness. The first thing I noticed was a fun error that looked kinda like this:
XGSSL::Connect() DoHandShake Failed!!!
Obviously enough, this led me to believe that this was a problem with the ssl handshake.
So, I decided at this point to inspect the guts of the Aventail client. Seemed simple enough, a few shell scripts (startct,stopct,uninstall) and some perl (cctel.pl) and then there’s this mysterious binary, AvConnect. I decided to look deeper and found this..
# file /usr/local/Aventail/AvConnect
/usr/local/Aventail/AvConnect: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
Looks like it uses shared libs, let’s see where it’s linking..
# ldd /usr/local/Aventail/AvConnect
linux-gate.so.1 => (0xb8008000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7fd4000)
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7e93000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7d3c000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7d16000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bb8000)
/lib/ld-linux.so.2 (0xb8009000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7bb4000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7b9e000)
Did a bit more digging by running some tests with OpenSSL.
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# openssl s_client -CAfile /etc/ssl/certs/Entrust_Root_Certification_Authority.pem -connect <myvpnhost>:443 -showcerts
Which seemed to work fine..
So, puzzled I compared the openssl package on my 8.04 VM to what I had installed, shockingly they matched.
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
Taking a shot in the dark I decided to upgrade my local install of openssl from source. Fairly run of the mill install..
# wget http://openssl.org/source/openssl-0.9.8i.tar.gz
# tar zxvfm openssl-0.9.8i.tar.gz
To get the shared objects, you’ll want to run configure like so:
# cd openssl-0.9.8i
# ./config shared
Now, do the magic..
Install it in the default location /usr/local/ssl
Then, you’ll want to update your links in /usr/lib to point at the new shared objects.
# sudo ln -s /usr/local/ssl/lib/libcrypto.so /usr/lib/libcrypto.so
# sudo ln -s /usr/local/ssl/lib/libssl.so /usr/lib/libssl.so
# sudo rm /usr/lib/libcrypto.so.0.9.7
# sudo ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.0.9.7
# sudo rm /usr/lib/libssl.so.0.9.7
# sudo ln -s /usr/lib/libssl.so /usr/lib/libssl.so.0.9.7
Then test it out by running startct and you should be able to connect as usual. I have yet to figure out why the ssl handshake fails with the packaged version of openssl, so if anyone has any clue about that or has a smarter work around, please let me know :)
This is, of course, not the recommended action for people new to Linux/Ubuntu and I provide no guarantee that it will work for you. I just wished to provide a possible work around for anyone having the same issue googling around aimlessly.
Enjoy
EDIT: More comprehensive shuffling of lib links per comments and observations below. Thanks devodl and js!
