Ubuntu (Intrepid) and Aventail SSL VPN Client

20.11.2008 21:56

posted by: Benjamin Smith

Posted Under: , , ,

Since upgrading to Ubuntu 8.10 (Intrepid) I had been having trouble with my SSL VPN connectivity. Rather than sit down and figure it out I chose to fire up a virtual box instance of 8.04 and use it to get work done. Finally, tonight, I hit the tipping point and decided to figure this out. First I discovered debug mode with the SSL client. You can enable it on the command line by running 

# startct -d

That will put a log in /var/log/AvConnect.log with lots of debugging goodness. The first thing I noticed was a fun error that looked kinda like this: 

XGSSL::Connect() DoHandShake Failed!!!

Obviously enough, this led me to believe that this was a problem with the ssl handshake.

So, I decided at this point to inspect the guts of the Aventail client. Seemed simple enough, a few shell scripts (startct,stopct,uninstall) and some perl (cctel.pl) and then there’s this mysterious binary, AvConnect. I decided to look deeper and found this.. 

# file /usr/local/Aventail/AvConnect 
/usr/local/Aventail/AvConnect: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

Looks like it uses shared libs, let’s see where it’s linking.. 

# ldd /usr/local/Aventail/AvConnect 
linux-gate.so.1 =>  (0xb8008000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7fd4000)
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7e93000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7d3c000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7d16000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bb8000)
/lib/ld-linux.so.2 (0xb8009000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7bb4000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7b9e000)

Did a bit more digging by running some tests with OpenSSL. 

# openssl version
OpenSSL 0.9.8g 19 Oct 2007

# openssl s_client -CAfile /etc/ssl/certs/Entrust_Root_Certification_Authority.pem -connect <myvpnhost>:443 -showcerts

Which seemed to work fine..

So, puzzled I compared the openssl package on my 8.04 VM to what I had installed, shockingly they matched. 

# openssl version
OpenSSL 0.9.8g 19 Oct 2007

Taking a shot in the dark I decided to upgrade my local install of openssl from source. Fairly run of the mill install.. 

# wget http://openssl.org/source/openssl-0.9.8i.tar.gz

# tar zxvfm openssl-0.9.8i.tar.gz

To get the shared objects, you’ll want to run configure like so: 

# cd openssl-0.9.8i
# ./config shared

Now, do the magic.. 

# make && make test

Install it in the default location /usr/local/ssl 

# sudo make install

Then, you’ll want to update your links in /usr/lib to point at the new shared objects. 

# sudo ln -s /usr/local/ssl/lib/libcrypto.so /usr/lib/libcrypto.so

# sudo ln -s /usr/local/ssl/lib/libssl.so /usr/lib/libssl.so

# sudo rm /usr/lib/libcrypto.so.0.9.7

# sudo ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.0.9.7

# sudo rm /usr/lib/libssl.so.0.9.7

# sudo ln -s /usr/lib/libssl.so /usr/lib/libssl.so.0.9.7

Then test it out by running startct and you should be able to connect as usual. I have yet to figure out why the ssl handshake fails with the packaged version of openssl, so if anyone has any clue about that or has a smarter work around, please let me know :)

This is, of course, not the recommended action for people new to Linux/Ubuntu and I provide no guarantee that it will work for you. I just wished to provide a possible work around for anyone having the same issue googling around aimlessly.

Enjoy

EDIT: More comprehensive shuffling of lib links per comments and observations below. Thanks devodl and js!

6 comments | 0 pingbacks
Add post to: Delicious Reddit Slashdot Digg Technorati Google
Comment

Comments

js 15.12.2008 16:25

I tried this on Xubuntu (Intrepid) hoping to be able to connect. I am getting the same error you are and so far, we’re the only two who seem to have this issue.

Compiling seemed to go well and I didn’t have any error messages.

When I tried to remove the link to the old libssl.so I was told it didn’t exist. Paying no mind, I created a new symlink anyway, but there was no change (I still could not connect).

Also, my files were installed in /usr/local/ssl/lib/ instead of /usr/local/ssl/libs/. I made this change when trying to do the symlink, but it still did not help.

I moved and copied some symlinks around to try to get it to point at the new libssl install, and even tried to remove and reinstall Aventail, but to no avail. Not quite sure what I did now, but Aventail won’t even start up at this point, as it’s not getting past the initialization of SSL.

Do you have any other ideas? Do you think it has anything to do with being on Xubuntu? It’s essentially the same system setup. I might do a full Ubuntu Intrepid install to see if it helps. I was trying for a light and fast VPN system, which is why I chose Xubuntu.

reply
Benjamin Smith 16.12.2008 9:39

Sorry it took so long to reply! Been quite busy at work preparing for the holiday and lost track here.

First off, you caught a typo in by blog which is now corrected. You will link from /usr/local/ssl/lib/libssl.so not /usr/local/ssl/libs/libssl.so. Thanks for that!

Now, take a look at this: 

# ldd /usr/local/Aventail/AvConnect
linux-gate.so.1 =>  (0xb7ef5000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7ec0000)
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7d7f000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7c28000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7c02000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7aa4000)
/lib/ld-linux.so.2 (0xb7ef6000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7aa0000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7a8a000)

# ls -al /usr/lib/libssl.so.0.9.7

lrwxrwxrwx 1 root root 18 2008-07-07 21:45 /usr/lib/libssl.so.0.9.7 -> /usr/lib/libssl.so 

# ls -al /usr/lib/libssl.so

lrwxrwxrwx 1 root root 34 2008-11-20 21:19 /usr/lib/libssl.so -> /usr/local/ssl/lib/libssl.so.0.9.8

You can see that the link to the ssl shared lib resolves to /usr/local/ssl/lib/libssl.so.0.9.8. Can you verify that’s the case with your install?

We can troubleshoot from there.

Thanks!

reply
js 17.12.2008 10:09

Thanks for your help. Although not necessary, I ended up deleting everything relating to /usr/lib/libssl and /usr/lib/libcrypt, reinstalling anything in Synaptic that had libssl in it, following your instructions to build and install openssl-0.9.8i, and then created the symlinks from libssl.so.0.9.7 to libssl.so as you mentioned in your reply above. I also had to do that for libcrypto.so.0.9.7 (link to libcrypt.so) since I had deleted it.

After those links were set up, Aventail worked like a charm! Thanks again for your helpful post!

reply
Benjamin Smith 18.12.2008 17:29

Awesome, glad I could help!

reply
devodl 27.12.2008 23:50

Thanks to both Benjamin and js

Even though I installed openssl-0.9.8i startct still failed. The note from js about libcrypto completed the solution.

Summary of my changes:

1 — Install openssl-0.9.8i

2 — Change links in /usr/lib as follows: 

ln -s /usr/local/ssl/lib/libcrypto.so /usr/lib/libcrypto.so
ln -s /usr/local/ssl/lib/libssl.so /usr/lib/libssl.so

rm /usr/lib/libcrypto.so.0.9.7 (was symlink to libcrypto.so.0.9.8)
ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.0.9.7

rm /usr/lib/libssl.so.0.9.7 (was symlink to libssl.so.0.9.8)
ln -s /usr/lib/libssl.so /usr/lib/libssl.so.0.9.7
reply
Benjamin Smith 5.01.2009 8:25

I’m glad we were able to get something working well between us all! I’m implementing this solution on another machine this morning, actually :)

reply

Comment form for «Ubuntu (Intrepid) and Aventail SSL VPN Client»

You can use Markdown here.

Required. 30 chars of fewer.

Required.

captcha image Please, enter symbols, which you see on the image