Supporting Juniper and other types of SSL VPN

[Nikos Mavrogiannopoulos]

On Thu, 2015-01-01 at 10:29 +0000, David Woodhouse wrote:
> A few people have been asking about supporting Juniper SSL VPN in
> OpenConnect, and there are others like Vyatta which might also be
> relevant.
> 
> I was originally a bit reluctant to support other VPNs in OpenConnect —
> applying the Unix philosophy of "do one thing, and do it well."
> However, I've mostly changed my mind. The Cisco protocol-specific parts
> of OpenConnect are probably only about 10% of it now, surrounded by all
> the rest of the infrastructure you need to make a viable VPN client on
> all platforms under the sun — tun device handling, HTTP and SOCKS proxy
> support with NTLM/Kerberos/Digest/Basic authentication and libproxy for
> discovery, certificate handling with PKCS#11 and TPM support, OTP
> support for software and hardware tokens, etc.

I'm not sure I like that. What is juniper SSL VPN? Is it a protocol
worth implementing or is yet another unstudied protocol which may be
insecure? As it is now openconnect is both a protocol and program. Both
are known to be reasonably secure. I wouldn't like openconnect at some
point to transparently negotiate pptp for me.

Said that, I'd like the current openconnect protocol to be better, and
standardized, and it is one of my goals this year to write a draft
description of the protocol, possibly enhancing it as well by
eliminating the hacks from it, like the openssl string negotiation, and
the explicitly transferred DTLS key.

regards,
Nikos