Openconnect 5.01 no longer connects

Anton Keks anton at codeborne.com
Wed Dec 25 11:16:37 EST 2013 

OK, it seems that 4.07 is getting a redirect, while 5.01 does not:

Failing output of openconnect 5.01:

POST https://213.172.3.40/
Attempting to connect to server 213.172.3.40:443
SSL negotiation with 213.172.3.40
Server certificate verify failed: signer not found

Certificate from VPN server "213.172.3.40" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on 213.172.3.40
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 25 Dec 2013 16:11:18 GMT
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
GROUP: [ADMBankier|ADMCborne|ADMCborne-new|ADMNetwork|ADMOther|ADMPhones|ADMW2K|MobileMGR|WssDocs]:ADMCborne
Username:cborne
Password:
POST https://213.172.3.40/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 25 Dec 2013 16:11:33 GMT
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Login failed.
GROUP: [ADMBankier|ADMCborne|ADMCborne-new|ADMNetwork|ADMOther|ADMPhones|ADMW2K|MobileMGR|WssDocs]:



Successful output with openconnect 4.07:

Attempting to connect to 213.172.3.40:443
SSL negotiation with 213.172.3.40
Server certificate verify failed: signer not found

Certificate from VPN server "213.172.3.40" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on 213.172.3.40
GET https://213.172.3.40/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Wed, 25 Dec 2013 16:05:02 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with 213.172.3.40
Server certificate verify failed: signer not found
Connected to HTTPS on 213.172.3.40
GET https://213.172.3.40/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give
Please enter your username and password.
GROUP: [ADMBankier|ADMCborne|ADMCborne-new|ADMNetwork|ADMOther|ADMPhones|ADMW2K|MobileMGR|WssDocs]:ADMCborne
Username:cborne
Password:
POST https://213.172.3.40/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:9AA6F4978ABEAEC4EB82EDB65A87391F3171214D&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest;
path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
....


On Wed, Dec 25, 2013 at 5:58 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
> On Wed, Dec 25, 2013 at 7:53 AM, Anton Keks <anton at codeborne.com> wrote:
>> Hello and happy holidays!
>>
>> we are sorry to inform that we have an Anyconnect server that worked
>> perfectly with openconnect 4.07, but no longer works with openconnect
>> 5.01.
>> We discovered it after upgrade to Ubuntu 13.10. Downgrading
>> openconnect back to 4.07 solves the issue.
>>
>> By not working I mean it cannot estabilish the conneciton, but it
>> doesn't give any meaningful error messages except for "connection
>> failed" after the password has been entered.
>>
>> Which debugging info can I provide in order to trace this problem?
>
> Please post the output from running "openconnect -v <hostname>"
>
> Also you might want to try my "jni-20131224" branch from
> git://github.com/cernekee/openconnect as this fixes a number of
> outstanding bugs.



-- 
Anton
//codeborne

More information about the openconnect-devel mailing list