Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

Sat Jan 11 17:48:11 EST 2014

Hello Nikos,

> There is something fishy at this point. Could you try the current
> version from repository? It wouldn't fix the issue but at least it has
> some debugging to trace the issue down (use only -d for debugging).

(infra) [~/work/ocserv] /local/ocserv-bisect/sbin/ocserv -f -d -c /local/ocserv/etc/config
listening (TCP) on 78.47.70.72:443...
listening (UDP) on 78.47.70.72:443...
ocserv[17714]: sec-mod initialized (socket: /var/run/ocserv-socket.17713)
ocserv[17713]: [main] initialized ocserv 0.3.0pre0
ocserv[17715]: 212.114.206.182:49292 accepted connection
ocserv[17714]: sec-mod received request from pid 17715 and uid 65534
ocserv[17715]: 212.114.206.182:49292 sending message 6 to main
ocserv[17715]: 212.114.206.182:49292 TLS handshake completed
ocserv[17713]: 212.114.206.182:49292 main received message 6 of 278 bytes
ocserv[17715]: 212.114.206.182:49292 read_user_pass:467: cannot find username in client XML message
ocserv[17715]: 212.114.206.182:49292 post_auth_handler:588: failed reading username
ocserv[17713]: 212.114.206.182:49292 handle_commands:378: command socket closed
ocserv[17716]: 212.114.206.182:49293 accepted connection
ocserv[17716]: 212.114.206.182:49293 sending resumption request (fetch)
ocserv[17716]: 212.114.206.182:49293 sending message 8 to main
ocserv[17713]: 212.114.206.182:49293 main received message 8 of 34 bytes
ocserv[17713]: 212.114.206.182:49293 sending message 9 to worker
ocserv[17716]: 212.114.206.182:49293 TLS handshake completed
ocserv[17716]: 212.114.206.182:49293 sending message 1 to main
ocserv[17713]: 212.114.206.182:49293 main received message 1 of 16 bytes
ocserv[17713]: 212.114.206.182:49293 auth init for user 'sithglan' from '212.114.206.182:49293'
ocserv[17713]: 212.114.206.182:49293 sending message 2 to worker
ocserv[17716]: 212.114.206.182:49293 received auth reply message 2
ocserv[17716]: 212.114.206.182:49293 continuing authentication for ''
ocserv[17713]: 212.114.206.182:49293 handle_commands:378: command socket closed
ocserv[17713]: 212.114.206.182:49293 auth deinit for user 'sithglan'
ocserv[17718]: 212.114.206.182:49294 accepted connection
ocserv[17718]: 212.114.206.182:49294 sending resumption request (fetch)
ocserv[17718]: 212.114.206.182:49294 sending message 8 to main
ocserv[17713]: 212.114.206.182:49294 main received message 8 of 34 bytes
ocserv[17713]: 212.114.206.182:49294 sending message 9 to worker
ocserv[17718]: 212.114.206.182:49294 TLS handshake completed
ocserv[17718]: 212.114.206.182:49294 read_user_pass:515: cannot find username in client message
ocserv[17718]: 212.114.206.182:49294 post_auth_handler:588: failed reading username
ocserv[17713]: 212.114.206.182:49294 handle_commands:378: command socket closed

> The format you see on the wire is from an older version of the
> anyconnect protocol. Either you client is old, or it has detected the
> server as old and uses the old format. Nevertheless, that shouldn't
> cause any issue.

We sniffed a Cisco IOS router and noticed that when we modify the
initial webpage to the following:

(infra) [~/work/ocserv] git diff src/worker-auth.c

diff --git a/src/worker-auth.c b/src/worker-auth.c
index 8ed7218..9b6ff8d 100644
--- a/src/worker-auth.c
+++ b/src/worker-auth.c
@@ -54,6 +54,7 @@ static const char login_msg_user[] = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
         "<message>Please enter your username</message>\n"
         "<form method=\"post\" action=\"/auth\">\n"
         "<input type=\"text\" name=\"username\" label=\"Username:\" />\n"
+         "<input type=\"password\" label=\"PASSWORD:\" name=\"password\" />"
         "</form></auth>\n";

 static const char login_msg_no_user[] = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"

We're prompted for username and password initially. It still fails, but we try
to modify the code to fix it.

Cheers,
        Thomas

