Use TLS1.3 with Ocserv anyconnect on Debian

I already use ocserv Anyconnect on my Debian9 server for a couple of months. Now I want to try to upgrade Ocserv to support TLS1.3, So I decided to have a try and below are my result ~~ Enjoy

Upgrade your gnutls-bin to 3.6.7

// Install related dependencies 
apt install libgnutls30=3.6.7-3 libp11-kit0=0.23.15-2 libtasn1-6=4.13-3 libunistring2=0.9.10-1 libc6=2.28-10 libhogweed4=3.4.1-1 libnettle6=3.4.1-1 libidn2-0=2.0.5-1

// Make sure `gnutls-bin` is up to date
apt upgrade gnutls-bin

If you got libc-bin error here are my solution

ERROR: 
dpkg: warning: 'ldconfig' not found in PATH or not executable.
dpkg: 2 expected program(s) not found in PATH or not executable.
NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.

SOLUTION:
nano /root/.bashrc

// inside .bashrc last line paste this 
export PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/bin

// Save and restart
source /root/.bashrc

// Resintall libc-bin
apt-get download libc-bin
dpkg -x libc-bin*.deb unpackdir/
cp unpackdir/sbin/ldconfig /sbin/
apt install libc-bin

apt policy libc6 // If it said you need to have version >= 2.2x
// do this

apt install libc6=2.28-9

Install latest ocserv version

// check version 
apt policy ocserv
// return
ocserv:
  Installed: 0.12.2-3
  Candidate: 0.12.2-3
  Version table:
 *** 0.12.2-3 100
         90 http://deb.debian.org/debian sid/main amd64 Packages
         90 http://deb.debian.org/debian unstable/main amd64 Packages
        100 /var/lib/dpkg/status
     0.12.2-3~bpo9+1 100
        100 http://deb.debian.org/debian stretch-backports/main amd64 Packages

// Install with latest version
apt install ocserv=0.12.2-3

// Check installed version
ocserv -v 
// return
ocserv 0.12.2
Compiled with: seccomp, tcp-wrappers, oath, radius, gssapi, PAM, PKCS#11, AnyConnect
GnuTLS version: 3.6.7

Check your TLS connection

// Use openssl to test
openssl s_client -connect myvon.com:443 -tls1_3

// return 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = xxx.com
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3743 bytes and written 589 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Use Openconnect client on Mac

// installation
brew install openconnect

// Export 
export LDFLAGS="-L/usr/local/opt/libffi/lib"

// connection
sudo openconnect <vpn address:port>

Use Openconenct GUI client on Windows

// Download GUI client for Windows
https://github.com/openconnect/openconnect-gui/releases/latest

Cisco anyconnect client

  • Windows –> https://www.cat2012.com/download/anyconnect/anyconnect-win-4.7.02036.msi
  • Android –> https://www.cat2012.com/download/anyconnect/anyconnect.android.4.7.00150.apk
  • Mac OSX –> https://www.cat2012.com/download/anyconnect/anyconnect-macos-4.7.02036.dmg
  • Linux 64bit –> https://www.cat2012.com/download/anyconnect/anyconnect-linux64-4.7.02036.tar.gz

Photo by Stefan Steinbauer on Unsplash

References

  1. https://gitlab.com/openconnect/ocserv/issues/207
  2. http://www.linuxfromscratch.org/blfs/view/svn/postlfs/gnutls.html
  3. https://sourcedigit.com/23234-apt-get-install-specific-version-of-package-ubuntu-apt-get-list/
  4. https://unix.stackexchange.com/questions/160019/dpkg-cannot-find-ldconfig-start-stop-daemon-in-the-path-variable
  5. https://visualplanet.org/blog/?p=427
  6. https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt
  7. https://github.com/johnshajiang/blog/wiki/Exploring-TLS-1.3-with-OpenSSL-1.1.1
  8. https://segmentfault.com/a/1190000011530974
  9. https://painso.com/2016/06/03/ocserv-install-usage/