AW: OpenConnect v9.01 - "--protocol=pulse" does not work with TPM2

[David Woodhouse]

On Wed, 2022-05-04 at 16:54 +0000, Schütz Dominik wrote:
> unfortunately I can't send the output of "-vv --dump-http-traffic"
> because it contains company-specific information.

Fair enough, although that obviously makes it difficult to try to help.

Without even seeing the final offending EAP-TTLS (or not?) packet that
it didn't like, it's hard to even guess about what's happening.

Note that a public-facing VPN server will be receiving hundreds or more
likely thousands of *random* connection attempts per day. To reproduce
this and have a chance of helping you, I wouldn't need to get any
further than any of those random port scans do — I don't need a
username, a password, or a certificate or anything like that; just the
IP address that is receiving thousands of stray connections a day.

But OK, if you're not comfortable with that, then take a look at that
final packet and see what it is. Is it a *different* EAP type? Have
they changed to EAP-TLS or something else? Does it change if you vary
the user-agent you advertise (see the comments in the source about the
way that changes things).

Those are rhetorical questions, of course, intended to help guide you
if you want to try to solve this on your own. I don't *actually* have
any real insight into this other than having watched the Windows client
attempt to connect through a MITM proxy, and trying to work out what
the many levels of nested binary protocols actually were.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20220504/8c741da4/attachment.p7s>