Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

David Woodhouse dwmw2 at infradead.org
Sun Jan 12 07:41:27 EST 2014


> Indeed that was the issue and it seems it is now fixed by having
> ocserv use a compact authentication method (ask both username
> and password in one go) if the client does auth using the
> "Connection: Close" HTTP headers. That would work only if a single
> password is required from PAM, but I guess that's a reasonable
> trade-off.

Hm, but that isn't a sufficient indicator that the client will *actually*
reuse the same connection. The connection might close anyway, if there is
a crap proxy or NAT timeout while the user is entering their response etc.

I think you have to be prepared to be stateless every time, keeping a pool
of active PAM sessions and a cookie to match client to session, and a
timeout/expiry for them.

-- 
dwmw2




More information about the openconnect-devel mailing list