diff options
author | Arun Isaac | 2023-10-06 13:14:52 +0100 |
---|---|---|
committer | Arun Isaac | 2023-10-06 13:14:52 +0100 |
commit | b33144f166b489795de33074a247494fe7ff6c87 (patch) | |
tree | 9b5da96115bb1e4e3bf552e4141d88f266af445c /topics | |
parent | b4af5b2ab018455c3117938628d4dc658ca3556a (diff) | |
download | gn-gemtext-b33144f166b489795de33074a247494fe7ff6c87.tar.gz |
Document unsafe legacy TLS renegotiation requirement for UTHSC VPN.
Diffstat (limited to 'topics')
-rw-r--r-- | topics/uthsc-vpn-with-free-software.gmi | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/topics/uthsc-vpn-with-free-software.gmi b/topics/uthsc-vpn-with-free-software.gmi index abb7e4a..5288101 100644 --- a/topics/uthsc-vpn-with-free-software.gmi +++ b/topics/uthsc-vpn-with-free-software.gmi @@ -21,6 +21,29 @@ $ openconnect-sso --server uthscvpn1.uthsc.edu --authgroup UTHSC -- --script 'vp ``` The vpn-slice script looks up the hostnames tux01 and tux02e on the VPN DNS and adds /etc/hosts entries and routes to your system. vpn-slice can also set up more complicated routes. To learn more, read the vpn-slice documentation. +## Unsafe legacy TLS renegotiation + +The UTHSC VPN still requires unsafe legacy TLS renegotiation. This is disabled by default on the latest Guix. We need to re-enable it by configuring openssl.cnf as described on the following stackoverflow page. +=> https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled +Here's a quick summary. Put the following in some file, say /tmp/openssl.cnf +``` +openssl_conf = openssl_init + +[openssl_init] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +Options = UnsafeLegacyRenegotiation +``` +Set the environment variable OPENSSL_CONF to point to this file. +``` +export OPENSSL_CONF=/tmp/openssl.cnf +``` +Then, run the openconnect-sso client as usual. + ## Acknowledgement Many thanks to Pjotr Prins and Erik Garrison without whose earlier work this guide would not be possible. |