[vox-tech] Using UC Davis vpn with the new Linux client PulseClient?

Bill Broadley bill at broadley.org
Wed Jun 29 03:57:35 PDT 2016 

On 06/27/2016 02:38 PM, Matthieu Stigler wrote:
> Hi
>
> UC Davis does not offer anymore the browser-based vpn entry, so need to
> use the "Pulse client" they provide:
> https://www.lib.ucdavis.edu/ul/services/connect/faq.php

Sort of.  They provide a Juniper based VPN solution that multiple 
clients work with.  Normally linux software is quite secure because it's:
* Compiled with current libraries and compilers
* Is 64 bit (for added page protection)
* In delivered with a package manager (so you get updates)
* Is included via a secure infrastructure
* Uses shared libraries, so you can fix any insecure dependencies
* is open source, follows best practices, etc.

Security critical things running as root and handling security related 
duties should be held to the highest possible standards.

Unfortunately the pulse client is the exact opposite.  Probably one of 
the least secure binaries on your system.  The linux pulse client:
* is just a random .deb download
* doesn't include a manifest with checksums
* isn't signed
* is 32 bit
* has known broken/insecure ssl libraries statically compiled in
* doesn't include any way to automatically get/detect available upgrades
* Seems unclear if it's getting any love at all, 32 bit is pretty old,
   ancient openssl bindings, and (AFAICT) they are no longer affiliated
   with Juniper.

So generally I recommend avoiding pulse if at all possible.  The good 
news is that OpenConnect:
* Is compatible
* is 64 bit
* is open source
* is delivered by your package manager via secure/signed packages
* will automatically get updates (if turned on), or just apt update;
   apt-upgrade
* uses current openssl libraries
* seems to work quite well

Unfortunately it's a bit tricky on older linux boxes, the main problem 
is that you need a fairly new openssl to get a library that A) doesn't 
have the security hole and B) emulates (securely) the old behavior to be 
compatible, but still avoids the security hole.

It pretty much "just works" with ubuntu-16.04.  Just run this:
   sudo apt install openconnect
   sudo /usr/sbin/openconnect --juniper vpn.library.ucdavis.edu

I brought this up with the library and they seem not to care about 
security and just want to support the pulse client.  They did fix their 
SSL cert so you no longer have to blindly trust a random cert you download.

> This could be this bug:
> https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40157/?q=KB40157
>
> But what is strange is that it did work at some point...

I got it to work to verify things, but it was an ugly fragile hack.  Try 
openconnect, on 12.04 you will likely have to install the newest version 
from source and possibly openssl as well.

Might be worth spinning up a ubuntu-16.04 vps/virtualbox/whatever just 
to tinker with how it works.  Pretty sure the current fedora should work 
fine as well.  Pretty sure someone mentioned it working on OSX as well.

More information about the vox-tech mailing list