Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Jan 12 08:14:55 EST 2014
On 01/12/2014 01:41 PM, David Woodhouse wrote:
>> Indeed that was the issue and it seems it is now fixed by having
>> ocserv use a compact authentication method (ask both username
>> and password in one go) if the client does auth using the
>> "Connection: Close" HTTP headers. That would work only if a single
>> password is required from PAM, but I guess that's a reasonable
>> trade-off.
>
> Hm, but that isn't a sufficient indicator that the client will *actually*
> reuse the same connection. The connection might close anyway, if there is
> a crap proxy or NAT timeout while the user is entering their response etc.
> I think you have to be prepared to be stateless every time, keeping a pool
> of active PAM sessions and a cookie to match client to session, and a
> timeout/expiry for them.
That would be tricky. Since ocserv is based on each client having a
separate process. Being totally stateless would require adding logic
for clients to "steal" the state of another process. I want to keep
all clients isolated to keep a simple security model, so I'll try to
avoid it if possible.
regards,
Nikos
More information about the openconnect-devel
mailing list