Compatibility with juniper ssl vpn ?

Guillaume Rousse guillomovitch at gmail.com
Tue Jan 25 12:26:10 EST 2011


Le 13/01/2011 22:34, David Woodhouse a écrit :
> On Wed, 2011-01-12 at 11:10 +0100, Guillaume Rousse wrote:
>>
>> Here is my client command line:
>> ~/.juniper_networks/network_connect/ncsvc \
>>   -h beria.zarb.home \
>>   -u rousse \
>>   -r smi \
>>   -f /etc/pki/tls/certs/localhost.crt
> 
> There's no -m option here. If you look in
> ~/.juniper_networks/network_connect/ .log you'll probably see a line
> like:
> 
> 20101228160000.207947 ncsvc[p21179.t21179] dsssl.error ive_cert_hash = 6f13afc3c6815ab480b2ddc27406ba4b, computed_hash = ecb77116a55194c4dfba8e9aa0cc862e (DSSSLSock.cpp:761)
> 
> It doesn't like the self-signed cert on your "server". For the above
> example log line, you want to add '-m ecb77116a55194c4dfba8e9aa0cc862e'
> to your ncsvc invocation. Obviously, yours will differ from mine.
> 
> You *may* need to use the -m option with a dummy argument just to make
> it give this log line; I'm not sure.
It work better now, thanks.

I tried the cut/paste gymnastic between s_server and s_client.

Client:
GET / HTTP/1.0
Host: portail.saclay.inria.fr
Accept: */*
Accept-Language: en-us
Connection: Keep-Alive
User-Agent: DSClient; Linux
Content-length: 0

Server:
HTTP/1.1 302 Found
Location:
https://portail.saclay.inria.fr/dana-na/auth/url_default/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_default; path=/dana-na/; expires=Thu,
31-Dec-2037 00:00:00 GMT; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/; path=/; secure
Connection: close

Client:
GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0
Host: portail.saclay.inria.fr
Accept: */*
Accept-Language: en-us
Connection: Keep-Alive
User-Agent: DSClient; Linux
Content-length: 0
Cookie: DSSIGNIN=url_default; DSSignInURL=/; DSIVS=

Server:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Tue, 25 Jan 2011 16:50:39 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-store
Expires: -1

<html>
[a full web page here]
</html>

Client:
ERROR
140007421920936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:338:
shutting down SSL
CONNECTION CLOSED
ACCEPT

Beyond the reason of the error, they are two suspicious issues here:
1) is it expected to have the binary acting as a web client, requesting
user-targeted web forms ? The submit action of this form triggers a
javascript function, and I don't think the binary as an embedded
javascript interpreter to work as a robot...
2) the initial client request is wrong, it should be 'GET /smi', due to
the usage of -r smi to ncsvc, not 'GET /' (the former leads to the
user-targeted service), the second to the admin-targeted service)

My setup seems to be unsufficient to correctly work as a traffic proxy.

-- 
BOFH excuse #138:

BNC (brain not connected)



More information about the openconnect-devel mailing list