#997981 ocserv crashes on client connection

Package:
ocserv
Source:
ocserv
Description:
OpenConnect VPN server compatible with Cisco AnyConnect VPN
Submitter:
Michael Scheffler
Date:
2021-12-07 10:12:03 UTC
Severity:
important
#997981#5
Date:
2021-10-28 07:42:24 UTC
From:
To:
Dear Maintainer,

after the latest system updates, ocserv keeps crashing on client connection. Everything worked fine before:

The server is using password authentication. I manually compiled the latest version (1.1.3) and everything works fine again. Same with 1.1.2 from bullseye.

#997981#10
Date:
2021-12-07 10:03:18 UTC
From:
To:
Hello,
I have the same issue. I'm on Debian 10 amd64 with 0.12.2-3. I also
tried 1.1.2-2~bpo10+1. This issue is related with something Letsencrypt
changed. The last Letsencrypt Certificate was from 8th October. Tonight
I renewed my Letsencrypt Certificate autoamtically. After that before
the login promot, ocserv was crashing. From the client it looked like
that:

(nuc) [~] openconnect vpn.company.com
POST https://vpn.company.com/
Connected to 1.2.3.4:443
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Error reading HTTP response: Invalid argument
GET https://vpn.company.com/
Connected to 1.2.3.4:443
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Error reading HTTP response: Invalid argument
Failed to obtain WebVPN cookie

From the server site it looked like that:

Dec  7 04:00:58 debian ocserv[6166]: main: main.c:983: Child 6178 died with sigsegv
... 180 ... similiar entries skipped.

I was able to restore operation by compiling ocserv from source:

sudo apt-get build-dep -y ocserv
wget https://www.infradead.org/ocserv/download/ocserv-1.1.5.tar.xz
tar xfJ ocserv-1.1.5.tar.xz
cd ocserv-1.1.5
sudo mkdir -p /local/ocserv
sudo chown <myuser> /local/ocserv
./configure --prefix=/local/ocserv
make
make instsall
sudo /etc/init.d/ocserv stop
sudo /local/ocserv/sbin/ocserv -c /etc/ocserv/ocserv.conf

However I'll upgrade to Debian 11 tonight. Debian 11 doesn't have this problem,
because I have several other ocserv on Debian 11, which don't have the issue.

Cheers,
	Thomas