[PATCH ocserv 0/4] Clean up ANYCONNECT_CLIENT_COMPAT virtual files
Kevin Cernekee
cernekee at gmail.com
Wed Jan 1 04:08:15 EST 2014
Some background info:
On a Cisco ASA, the contents of the installed AnyConnect web deploy
packages are accessed through https://ASA/CACHE/stc/{1,2,3,...}. So if
the gateway has 4 web deploy packages installed, it looks like this:
ciscoasa# show run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-64-3.1.04066-k9.pkg 4
anyconnect enable
tunnel-group-list enable
These packages are used to feed the Java installer contraption if the
user navigates to https://ASA/ in a web browser. The ASA's web server
uses the regex line from headinfo.txt in *.pkg to try to determine which
package matches the client's OS, based on the User-Agent header.
The URL => ASA pathname mappings for the ASA shown above are:
https://ASA/CACHE/stc/1/Windows => cache:/stc/1/Windows
https://ASA/CACHE/stc/2/Linux => cache:/stc/2/Linux
https://ASA/CACHE/stc/3/Darwin_i386 => cache:/stc/3/Darwin_i386
https://ASA/CACHE/stc/4/Linux_64 => cache:/stc/4/Linux_64
Each *.pkg file is just a zip archive. The 0-byte Windows/Linux_64/...
files are at the top level of the archive, each of which gets unpacked
into cache:/stc/<ID>/ inside the ASA. After authenticating and receiving
a webvpn cookie, the AnyConnect client application probes for the
presence of these files to try to find the matching package for its OS:
GET /CACHE/stc/1/index.html
(if it exists, the gateway has package #1 installed, otherwise give up)
GET /CACHE/stc/1/Linux_64
(if it doesn't exist, assume #1 is for another OS and check package #2)
GET /CACHE/stc/2/index.html
(exists, good)
GET /CACHE/stc/2/Linux_64
(assuming this succeeds, then...)
GET /CACHE/stc/2/binaries/update.txt
(compare version numbers to see if an update is needed)
The https://ASA/CACHE/stc/* links are only accessible after
authenticating, either through a browser or through a VPN client. In
XML POST mode the gateway will explicitly specify the base:
<base-package-uri>/CACHE/stc/2</base-package-uri>
If this node is unavailable, as is the case on ocserv, part of the path
is extracted from the webvpnc cookie (bu:/CACHE/stc) and the client tries
each number sequentially until it finds the correct package or gets a
404 on index.html.
ocserv omits the /CACHE/stc prefix; so far this seems harmless.
Kevin Cernekee (4):
README: Update dependencies
Fix auto-update regression on AnyConnect clients
Add support for Mac AnyConnect client
Remove unnecessary AnyConnect /2/* files
README | 6 +++---
src/worker-extras.c | 2 +-
src/worker-vpn.c | 10 ++--------
3 files changed, 6 insertions(+), 12 deletions(-)
--
1.8.2.1
More information about the openconnect-devel
mailing list