FS#77647 - [vpnc] vpnc-1:0.5.3.r526.r213-1 refuses to connect with weaker authentication methods

Attached to Project: Arch Linux
Opened by Musikolo (Musikolo) - Saturday, 25 February 2023, 23:57 GMT
Last edited by Toolybird (Toolybird) - Monday, 27 February 2023, 00:52 GMT
Task Type Support Request
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: Noticed that with last version vpnc-1:0.5.3.r526.r213-1, it rejects connecting with weaker authentication methods and prints the following warning:

Feb 25 17:16:39 MyLaptop NetworkManager[2815]: /usr/sbin/vpnc: Peer has selected md5 as authentication method.
Feb 25 17:16:39 MyLaptop NetworkManager[2815]: This algorithm is considered too weak today.
Feb 25 17:16:39 MyLaptop NetworkManager[2815]: If your vpn concentrator admin still insists on using md5,
Feb 25 17:16:39 MyLaptop NetworkManager[2815]: use the "--enable-weak-authentication" option.

Reverting back to previous version vpnc-1:0.5.3.r506.r204-2 solves the issue and everything works again. This version was built on Nov 2 as it can be seen at https://archive.archlinux.org/packages/v/vpnc/

Following this, I noticed that none of the changes introduced the code since November suggests a change in the permitted authentication methods. All I saw were minor changes:
- https://github.com/streambinder/vpnc/commits/master

So, I wonder where the new behavior comes from?
This task depends upon

Closed by  Toolybird (Toolybird)
Monday, 27 February 2023, 00:52 GMT
Reason for closing:  Upstream
Additional comments about closing:  See comments
Comment by loqs (loqs) - Sunday, 26 February 2023, 01:07 GMT
vpnc 1:0.5.3.r526.r213-1 https://github.com/archlinux/svntogit-packages/commit/615da39182c49cf038da9fe447e5b7f75620b51d moved the commit from b4c83bbd2f0ea1078477ea187f7e1476762ba788 to 46b8335b6e0df577fd3c40e87362ed8c5724c8df
https://github.com/streambinder/vpnc/compare/b4c83bbd2f0ea1078477ea187f7e1476762ba788...46b8335b6e0df577fd3c40e87362ed8c5724c8df which includes https://github.com/streambinder/vpnc/commit/1db1d23a6d95456dc9e4cfd7f8f4ec1f92554e75
Comment by Musikolo (Musikolo) - Sunday, 26 February 2023, 14:15 GMT
OK,thanks so much for providing so much detail. I've been looking in the the NetworkManager UI and under the "Advanced" options I found an "Encryption method" drop-down list with the "Weak" option. However, there seems to be no such a thing for authentication methods. Also, comparing the long help output of the previous and new versions, it looks like the "--enable-weak-authentication" option has been added to the new version, as it wasn't available in the previous one. Any idea if there is a way to enable weak authentication methods through the NetworkManager UI, if that's possible at all?
Comment by loqs (loqs) - Sunday, 26 February 2023, 15:31 GMT
Support for --enable-weak-authentication has not been added to networkmanager-vpnc. You could try opening an issue on [1]. If the connection can not be updated to use stronger authentication you will have to keep using the older release of vpnc or create a custom release with 1db1d23a6d95456dc9e4cfd7f8f4ec1f92554e75 reverted until networkmanager-vpnc adds support.

[1] https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/-/issues
Comment by Musikolo (Musikolo) - Sunday, 26 February 2023, 17:16 GMT
I tried to file an issue in the NetworkManager VPNC site you linked above, but there is no way to login. I tried using GitHub & Gmail identity providers, but it didn't work. I also tried to fill up the registration form manually, but once completed, I couldn't log in either. Not sure what's wrong, but it was a very frustrating experience.

Since there is nothing it can be done on the ArchLinux side, please feel free to close this issue.

Thank you so much for the provided assistance!

Loading...