Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jan 11 18:00:33 EST 2014 

On 01/11/2014 11:48 PM, Thomas Glanzmann wrote:
> Hello Nikos,
> 
>> There is something fishy at this point. Could you try the current
>> version from repository? It wouldn't fix the issue but at least it has
>> some debugging to trace the issue down (use only -d for debugging).
> 
> (infra) [~/work/ocserv] /local/ocserv-bisect/sbin/ocserv -f -d -c /local/ocserv/etc/config
> listening (TCP) on 78.47.70.72:443...
> listening (UDP) on 78.47.70.72:443...
> ocserv[17714]: sec-mod initialized (socket: /var/run/ocserv-socket.17713)
> ocserv[17713]: [main] initialized ocserv 0.3.0pre0
> ocserv[17715]: 212.114.206.182:49292 accepted connection
> ocserv[17714]: sec-mod received request from pid 17715 and uid 65534
> ocserv[17715]: 212.114.206.182:49292 sending message 6 to main
> ocserv[17715]: 212.114.206.182:49292 TLS handshake completed
> ocserv[17713]: 212.114.206.182:49292 main received message 6 of 278 bytes
> ocserv[17715]: 212.114.206.182:49292 read_user_pass:467: cannot find username in client XML message
> ocserv[17715]: 212.114.206.182:49292 post_auth_handler:588: failed reading username

Ok, here it seems is the issue. read_user_pass() tries to parse the
username as XML although it is not (according to the previous log). I
wonder why memmem(body, body_length, "<?xml", 5) succeeds. Could you see
what is the POST body when http-debug is specified?

>> The format you see on the wire is from an older version of the
>> anyconnect protocol. Either you client is old, or it has detected the
>> server as old and uses the old format. Nevertheless, that shouldn't
>> cause any issue.
> We sniffed a Cisco IOS router and noticed that when we modify the
> initial webpage to the following:
> (infra) [~/work/ocserv] git diff src/worker-auth.c
> diff --git a/src/worker-auth.c b/src/worker-auth.c
> index 8ed7218..9b6ff8d 100644
> --- a/src/worker-auth.c
> +++ b/src/worker-auth.c
> @@ -54,6 +54,7 @@ static const char login_msg_user[] = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
>          "<message>Please enter your username</message>\n"
>          "<form method=\"post\" action=\"/auth\">\n"
>          "<input type=\"text\" name=\"username\" label=\"Username:\" />\n"
> +         "<input type=\"password\" label=\"PASSWORD:\" name=\"password\" />"
>          "</form></auth>\n";

Not reading the password initially is intentional in ocserv to follow
PAM's requirements, and allow printing the PAM message when reading a
password. This shouldn't affect you though.

regards,
Nikos

More information about the openconnect-devel mailing list