SSL Certificate verification bug
Matthew Thompson
matthewbot at gmail.com
Thu Aug 29 11:09:22 EDT 2013
Works like charm! Thanks again.
Matt Thompson
On Wed, Aug 21, 2013 at 12:04 AM, Kevin Cernekee <cernekee at gmail.com> wrote:
> On Sat, Aug 3, 2013 at 7:30 PM, Matthew Thompson <matthewbot at gmail.com> wrote:
>> openconnect v5.01 gives the following error when connecting to my
>> university's vpn, vpn.ufl.edu:
>>
>> [matthewbot at gas-powered-stick openconnect]$ openconnect https://vpn.ufl.edu/
>> POST https://vpn.ufl.edu/
>> Attempting to connect to server 128.227.166.118:443
>> SSL negotiation with vpn.ufl.edu
>> Connected to HTTPS on vpn.ufl.edu
>> Got HTTP response: HTTP/1.0 302 Temporary moved
>> POST https://ssrb230a-vpn-asa5500-1-g10-1.ns.ufl.edu/
>> Attempting to connect to server 128.227.166.117:443
>> SSL negotiation with ssrb230a-vpn-asa5500-1-g10-1.ns.ufl.edu
>> Connected to HTTPS on ssrb230a-vpn-asa5500-1-g10-1.ns.ufl.edu
>> Got HTTP response: HTTP/1.0 302 Object Moved
>> GET https://vpn.ufl.edu/
>> SSL negotiation with vpn.ufl.edu
>
> openconnect sure goes through a lot of redirects when connecting to
> this gateway. It would be good to try out the official Cisco client
> and see if this behavior is expected.
>
>> However, some publicly available SSL testers don't report any issues
>> with the certificate, and indeed, the error goes away in openconnect
>> v5.00. I haven't had time to look at the code yet, but I did
>> successfully bisect the problem to commit
>> 152d4e4a296984a538d7d6b52a18b24ce32bffdb, "When falling back to
>> non-xmlpost, revert to original URL." I'm hazarding a guess that
>> something about the specific sequence of redirects used by my
>> university is breaking the logic introduced in this change? Or is
>> something actually wrong with our SSL setup? Thanks for the
>> assistance.
>
> Your SSL setup looks OK. What I saw was that openconnect actually
> connected to ssrb230a-vpn-asa5500-1-g10-1.ns.ufl.edu when it thought
> it was connecting to vpn.ufl.edu.
>
> Could you please try my patch and indicate whether it fixes the problem for you?
>
> Thanks.
More information about the openconnect-devel
mailing list