Possible bug in ocserv-worker http header parsing

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Sat Jan 7 06:46:44 PST 2017 

Please report it against EPEL and http-parser. It may be related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1374081

On Fri, Jan 6, 2017 at 9:19 PM, Konstantin M. Khankin
<khankin.konstantin at gmail.com> wrote:
> HI!
>
> I've just installed and configured ocserv on my centos box:
> ocserv-0.11.6-1.el7.x86_64
> http-parser-2.7.1-3.el7.x86_64
>
> I'm using openconnect client from ubuntu:
> OpenConnect version v5.02
> Using GnuTLS. Features present: PKCS#11, TOTP software token, DTLS
> (using OpenSSL)
>
> Trying to establish connection:
> $ openconnect -vvv <HOST> --cafile=<FILE> --no-xmlpost
> GET https://<HOST>/
> Attempting to connect to server <ADDRESS>
> SSL negotiation with <HOST>
> Connected to HTTPS on <HOST>
> Failed to read from SSL socket: A TLS packet with unexpected length
> was received.
> Error fetching HTTPS response
> Failed to obtain WebVPN cookie
>
> I checked with wireshark that TLS handhsake happens correctly and ran
> ocserv in foreground with debugging. I saw the following:
> ocserv[6554]: TLS[<5>]: REC[0x7f98e90d7df0]: Received Packet
> Application Data(23) with length: 176
> ocserv[6554]: TLS[<5>]: REC[0x7f98e90d7df0]: Decrypted Packet[1]
> Application Data(23) with length: 147
> ocserv[6554]: worker: <CLIENT IP> HTTP processing: : Host
> ocserv[6554]: worker: <CLIENT IP> HTTP processing: : HostUser-Agent
> ocserv[6554]: worker: <CLIENT IP> HTTP processing: : HostUser-AgentAccept
> ocserv[6554]: worker: <CLIENT IP> HTTP processing: :
> HostUser-AgentAcceptAccept-Encoding
> ocserv[6554]: worker: <CLIENT IP> HTTP processing: :
> HostUser-AgentAcceptAccept-EncodingX-Transcend-Version
> ocserv[6550]: main: <CLIENT IP> worker terminated
> ocserv[6550]: main: <CLIENT IP> user disconnected (reason:
> unspecified, rx: 0, tx: 0)
>
> ocserv-worker dies after it tries to parse http header. Given that
> header options are being concatenated in debug output, I'm not sure if
> it's just a bug in debug output or options are parsed wrong
>
> Could you please have a look?
>
> Thanks!
>
> --
> Khankin Konstantin
>
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel

More information about the openconnect-devel mailing list