broken certificate authentication under 2.20 and newer

[Chaskiel Grundman]

The openconnect (2.01) in debian testing works mostly OK for me, but I 
wanted DTLS to work, so I upgraded to the git head and built it against 
openssl 1.0.0-beta5. When I connect with this version, certificate 
authentication does not seem to occur, and openconnect prompts me for a 
username and password:

$  sudo ./openconnect -v -s ../vpnc-scripts/vpnc-script -c 
../Download/yy.yy.yy.yy.yy.p12 -K pkcs12   xx.xx.cmu.edu
Attempting to connect to 128.2.xxx.xxx:443
Using certificate file ../Download/yy.yy.yy.yy.yy.p12
Enter PKCS#12 pass phrase:
Extra cert from PKCS#12: '...'
SSL negotiation with xx.xx.cmu.edu
Connected to HTTPS on xx.xx.cmu.edu
GET https://xx.xx.cmu.edu/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 27 Feb 2010 17:46:39 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://xx.xx.cmu.edu/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; 
secure
Set-Cookie: webvpnlogin=1; secure
Set-Cookie: ClientCertAuthFailed=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
Username:^CFailed to obtain WebVPN cookie


I attempted a git bisect and the problem seems to be somewhere between 
f900f637b9956f3f2fd0a78977784a1655ec2bc4 Fix handling of 'HTTP/1.1 100 
Continue' response and
cc64d59d8132350cadf7adf91857597795eb9090 Fix handling of HTTP 1.0 
responses with Connection: Keep-Alive

The intermediate versions all hang in the first https request, presumably 
due to the Connection: Keep-Alive issue


Any ideas?