From 4b02c05b544927f4669c6d98fac1124080c93df2 Mon Sep 17 00:00:00 2001 From: Benjamin Mako Hill Date: Wed, 19 Apr 2023 10:03:40 -0700 Subject: [PATCH] fix issue with openssl The scripts seem to be relying on a legacy openssl renegotiation protocol and this allows it to continue. I don't know if this a requirement on the NU side or a feature of these scripts but this works around it in the shorter term. --- openssl.conf | 11 +++++++++++ ssh-vpn-proxy | 4 +++- 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 openssl.conf diff --git a/openssl.conf b/openssl.conf new file mode 100644 index 0000000..9a6b314 --- /dev/null +++ b/openssl.conf @@ -0,0 +1,11 @@ +openssl_conf = openssl_init + +[openssl_init] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +Options = UnsafeLegacyRenegotiation + diff --git a/ssh-vpn-proxy b/ssh-vpn-proxy index 3548b40..819d175 100755 --- a/ssh-vpn-proxy +++ b/ssh-vpn-proxy @@ -1,5 +1,7 @@ #!/bin/bash +export OPENSSL_CONF="${HOME}/bin/nu-vpn-proxy/openssl.conf" +# this allows for legacy renegotation which seems to be required now SEARCH_PATTERN="ESP tunnel connected; exiting HTTPS mainloop." # connects to SSH through openconnect and VPN @@ -7,7 +9,7 @@ SEARCH_PATTERN="ESP tunnel connected; exiting HTTPS mainloop." # first run openconnect -/sbin/start-stop-daemon --pidfile /tmp/nu-vpn-openconnect.pid -S --startas "$HOME/bin/nu-vpn-proxy/openconnect_command-ssh.sh" & +/sbin/start-stop-daemon --pidfile /tmp/nu-vpn-openconnect.pid -S --startas "${HOME}/bin/nu-vpn-proxy/openconnect_command-ssh.sh" & sleep 2 # kill connection on exit -- 2.39.5