XML Post not working on 5.01

Joel Johnson mrjoel at lixil.net
Thu Jun 13 15:14:39 EDT 2013 

Thanks for adding the --no-xmlpost flag in 5.01, I've been unable to use 
newer versions since 4.99 added XML POST support. Now, using 5.01 I can 
connect just fine again as long as I use the --no-xmlpost argument.

First, just like the token (Set-Cookie: webvpn) is stripped in log 
output, I'd strongly suggest that the password value in the XML POST 
content be masked out using a default string instead of including the 
literal password. Also, the password is included in plaintext in the 
HTML URL encoded content which should likewise be masked. To me, verbose 
and dump traffic still shouldn't expose the password unless I really say 
--show-plaintext-passwords or similar for the corner case where a 
developer doesn't think the password is being read or encoded properly.

For the XML POST processing, it looks like it's not properly (fully?) 
processing the --authgroup parameter to use the selected group (as long 
as it's returned in the list as being available). Instead of blindly 
using the tunnel-group and group-alias offered initially, it should use 
what is specified. I'm not familiar with the details and differences 
between the <group-select> and <tunnel-group>, but this looks quite 
suspicious.

Another interesting note is that the HTML version includes a 
value="name" with a friendly name for the option content, but the XML 
offering doesn't seem to include that, e.g. SecureGroupC appears in the 
HTML version but not at all in the XML one. In the HTML response, the 
content references the friendly name (SecureGroupC) instead of the name 
contained within the element body (GROUPC_VPN).

Listed in-line below are (heavily edited) traces of connection attempts 
with and without the argument.

Thanks for all your work to create and maintain openconnect!

Joel


****************
*** XML Post ***
****************

$ sudo openconnect vpn.example.org --verbose --dump-http-traffic 
--authgroup GROUPC_VPN -u username at example.org

POST https://vpn.example.org/
Attempting to connect to server 192.168.100.254:443
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org
> POST / HTTP/1.1
> Host: vpn.example.org
> User-Agent: Open AnyConnect VPN Agent v5.01
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 208
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version 
> who="vpn">v5.01</version><device-id>linux-64</device-id><group-access>https://vpn.example.org</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Thu, 13 Jun 2013 00:00:00 GMT
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request">
< <version who="sg">9.1(1)</version>
< <opaque is-for="sg">
< <tunnel-group>GROUPA</tunnel-group>
< <group-alias>GROUPA_VPN</group-alias>
< <config-hash>1234567890000</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please enter your username and password.</message>
< <banner></banner>
< <form>
< <input type="text" name="username" label="Username:"></input>
< <input type="password" name="password" label="Password:"></input>
< <select name="group_list" label="GROUP:">
< <option selected="true">GROUPA_VPN</option>
< <option>GROUPB_VPN</option>
< <option>GROUPC_VPN</option>
< <option>GROUPD_VPN</option>
< </select>
< </form>
< </auth>
< </config-auth>
XML POST enabled
Please enter your username and password.
Password:
POST https://vpn.example.org/
> POST / HTTP/1.1
> Host: vpn.example.org
> User-Agent: Open AnyConnect VPN Agent v5.01
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 430
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version 
> who="vpn">v5.01</version><device-id>linux-64</device-id><opaque 
> is-for="sg">
> <tunnel-group>GROUPA</tunnel-group>
> <group-alias>GROUPA_VPN</group-alias>
> <config-hash>1234567890000</config-hash>
> </opaque><auth><username>username at example.org</username><password>PaSsWoRd</password></auth><group-select>GROUPC_VPN</group-select></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Thu, 13 Jun 2013 00:00:00 GMT
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request">
< <version who="sg">9.1(1)</version>
< <opaque is-for="sg">
< <tunnel-group>GROUPA</tunnel-group>
< <group-alias>GROUPA_VPN</group-alias>
< <config-hash>1234567890000</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please enter your username and password.</message>
< <banner></banner>
< <error id="15" param1="" param2="">Login failed.</error>
< <form>
< <input type="text" name="username" label="Username:"></input>
< <input type="password" name="password" label="Password:"></input>
< <select name="group_list" label="GROUP:">
< <option selected="true">GROUPA_VPN</option>
< <option>GROUPB_VPN</option>
< <option>GROUPC_VPN</option>
< <option>GROUPD_VPN</option>
< </select>
< </form>
< </auth>
< </config-auth>
Login failed.


*******************
*** No XML Post ***
*******************

$ sudo openconnect vpn.example.org --verbose --dump-http-traffic 
--no-xmlpost --authgroup GROUPC_VPN -u username at example.org

GET https://vpn.example.org/
Attempting to connect to server 192.168.100.254:443
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org
> GET / HTTP/1.1
> Host: vpn.example.org
> User-Agent: Open AnyConnect VPN Agent v5.01
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> 
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Thu, 13 Jun 2013 00:00:00 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://vpn.example.org/+webvpn+/index.html
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org
> GET /+webvpn+/index.html HTTP/1.1
> Host: vpn.example.org
> User-Agent: Open AnyConnect VPN Agent v5.01
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> 
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; 
secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; 
secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
<
<
<
< <banner></banner>
< <message>Please enter your username and password.</message>
<
<
< <form method="post" action="/+webvpn+/index.html">
<
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
<
<
< <select name="group_list" label="GROUP:">
< <option value="GROUPA" noaaa="0" >GROUPA_VPN</option><option 
value="GROUPB_VPN" noaaa="0" >GROUPB_VPN</option><option 
value="SecureGroupC" noaaa="0" >GROUPC_VPN</option><option 
value="GROUPD_VPN" noaaa="0" >GROUPD_VPN</option></select>
<
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
<
<
< </form>
< </auth>
<
Please enter your username and password.
Password:
POST https://vpn.example.org/+webvpn+/index.html
> POST /+webvpn+/index.html HTTP/1.1
> Host: vpn.example.org
> User-Agent: Open AnyConnect VPN Agent v5.01
> Accept: */*
> Accept-Encoding: identity
> Cookie: webvpnlogin=1
> X-Transcend-Version: 1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 89
> 
> group%5flist=SecureGroupC&username=username%40example%2Eorg&password=PaSsWoRd
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; 
secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=<**redacted**>
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <auth id="success">
< <title>SSL VPN Service</title>
< <message>Success</message>
< <success/>
< </auth>
<
TCP_INFO rcv mss 1370, snd mss 1370, adv mss 1460, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK

More information about the openconnect-devel mailing list