Openconnect proxy Keep-Alive
David Woodhouse
dwmw2 at infradead.org
Mon Sep 8 05:50:25 PDT 2014
On Mon, 2014-09-08 at 15:43 +0400, Alexander Rumyantsev wrote:
>
> I ran into situation, when my proxy sends "Connection: close" while
> trying to authenticate in spite of openconnect’s "Connection:
> keep-alive" request.
> Openconnect first receives HTTP 407 Authentication Required for
> parsing available auth methods, then tries to send request with
> Proxy-Authorization header within closing connection and we get "Error
> fetching HTTPS response".
>
> Openconnect have either to send "Proxy-Authorization" immediately, or
> to handle "Connection: close"
Hopefully the latter is fixed already by
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/091cd79d
There is possibly still merit in exploring the option of sending
Proxy-Authentication immediately, to reduce the latency of OpenConnect
(re)opening connections.
I'd like to see it be a little less of hack though. Let's start with
making it work for the second and subsequent connections, having
'learned' the authentication options the first time — and *then* let's
look at "jump-starting" it from the command line.
If we've made a successful authentication by a given method when we
ought to go straight to using that method on the next connection
attempt. And even if it's Digest, we should be looking for a
Proxy-Authenticate-Info: which will tell us the *next* nonce so we can
even do authentication straight away for Digest auth.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140908/23dd59a4/attachment.bin>
More information about the openconnect-devel
mailing list