SSL-only Juniper VPN that supports SSL DEFLATE compression?

[Daniel Lenski]

On Jan 13, 2017 6:16 AM, "David Woodhouse" <dwmw2 at infradead.org> wrote:
>
> On Wed, 2017-01-11 at 20:01 -0800, Daniel Lenski wrote:
> >
> > Does anyone else use a Juniper VPN that supports *SSL* DEFLATE
> > compression? Does it return the same config value? Any hint that I'm
> > on the right track would be appreciated.
>
> If it really means SSL deflate, then that's negotiated as part of the
> SSL handshake. Can you capture and show the SSL session establishment?
>
> Try adding COMP-ALL to the GnuTLS priority string for OpenConnect...
>

Hmm, that's an interesting idea. I thought I was looking for
compression at the level of the (inner) IP packets exchanged over the
oNCP tunnel, not at the (outer) TLS transport.

Adding +COMP-ALL doesn't seem to do anything, however, as confirmed by
gnutls-cli. This connects without compression:

    $ gnutls-cli -V --priority "NORMAL:+COMP-ALL" vpn.server.com

Taking the observed TLS connection settings and forcing +COMP-DEFLATE
simply results in a failed handshake:

    $ gnutls-cli -V --priority
"NONE:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA256:+COMP-DEFLATE"
b2b-portal.renesas.com

It appears that whatever the DEFLATE compression is, it isn't standard
transport level compression. Which is in keeping with what I've
learned from oncp.c …

                /*
                 * This protocol is horrid. There are encapsulations within
                 * encapsulations within encapsulations. Some of them entirely
                 * gratuitous.


-Dan