Getting openconnect on openwrt to include RFC9266 `tls-exporter` (TLSv1.3) support

Looking who can help build openconnect to include this commit:

Use RFC9266 'tls-exporter' channel bindings for Cisco STRAP with TLSv1.3

that fixes: https://gitlab.com/openconnect/openconnect/-/issues/659

Have several Linux environments, not so much openwrt build environment, eager to help test.. without the fix, connection fails.. Currently using openconnect - 9.12-r5 on:

       "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }

Any help much appreciated!

Start with getting upstream to make a stable release.OpenWrt packages include exactly that.

Sorry, don't understand...
Querying on router it uses:

 opkg info openconnect
Package: openconnect
Version: 9.12-r5
Depends: libc, libxml2, kmod-tun, resolveip, vpnc-scripts, libgnutls, libtasn1
Status: install ok installed
Section: net
Architecture: mipsel_24kc
Size: 169623
Filename: openconnect_9.12-r5_mipsel_24kc.ipk

which appears go be re-built automatically nightly(?):

https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/packages/

[openconnect-9.12-r5.apk](https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/packages/openconnect-9.12-r5.apk) 165.9 KB Tue Mar 4 18:06:18 2025

upstream maintains generic sources, and links to pre-built binaries for "popular" platforms, here:

TOP two links even automate on Linux ports, redhat, suse, ubuntu, etc.

not seeing openwrt..

you might hint that the source code fix as it is may not be applicable to openwrt platform, since it uses different sources? whom to contact? where to report/request that you mention?

Thanks.

That is latest upstream release +5 compatibility patches.

ok, thanks, maybe someone can "translate" what these reply means, from an operative stand point, where to post, what/who to ask for what?

The upstream release their bits + all fixes for all to grab , from github, in addition, they provide pre-built binaries (on popular ports).. I thought someone on the openwrt (and possibly other side/ports) consume that sourcecode+fixes, and adjust/stage it on their end, for (nightly) building..

based on the one-liner replies, it sounds like this may take YEARs or at best months (for someone in upstream to provide openwrt adjusted base release + all needed fixes?)

Until someone explains further, or that fix somehow appears on openwrt; will try to find another port that has this fix pre-built into openconnect.

Worth talking to a maintainer mentioned in https://openwrt.org/packages/pkgdata/openconnect ?

Thanks will try to reach Nikos..

btw url has info from OpenWrt-22.03.0, is there anyone on the openwrt side that is "responsible" for openconnect ? to adopt/upkeep changes, etc. or openwrt depends on each maintainer to provide them with a working port for openwrt platform?

If I were to naively follow this page instructions for building a single package:

https://openwrt.org/docs/guide-developer/toolchain/single.package

can this build be done on Ubuntu or it has to be done on a device running openwrt ?

someone suggested to try fallback to tls1.2, sure enough added --gnutls-priority="NORMAL:-VERS-ALL:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA1" it overcome 'HTTP/1.1 401 Unauthorized' and VPN connection is stable on (1.2).

Hopefully we can figure how to rebuild 1.3 for openwrt port before v1.2 is obsoleted.

Now found right link to open an issue:
https://github.com/openwrt/packages/issues/26108
openconnect to include RFC9266 tls-exporter (TLSv1.3) support #26108

The github issue will be attended one day, depending on maintainer it can be week or year.

Yes, of course, thanks for support, super happy to have found the workaround until that time comes...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.