[PATCH 00/24] Support new client response format; other fixes

Kevin Cernekee cernekee at gmail.com
Sat Nov 3 13:22:42 EDT 2012 

Newer AnyConnect installations may have compatibility issues with
OpenConnect for several reasons:

1) The gateway may look for new HTTP headers that are currently
missing (but recent versions of the AnyConnect client do send them).

2) The gateway can be configured to check those headers for
information like the client's host OS, and deny access if it doesn't
say e.g. "Windows."

3) They expect the auth POST data to be in XML format, rather than
just a urlencoded query string.  Gateway-side support for the old
urlencoded format may be buggy, restricted by policy, or missing
altogether.

4) They expect other information in the POST data (like copying an
"opaque" field from the auth request).  Some of this information is
used for things like aborting the VPN connection if the server
configuration has changed since the form was first rendered.

5) CSD/Hostscan looks like it is more closely integrated with vpnui/vpn
now.  The gateway no longer provides a valid URL to the trojan binary,
and it isn't clear how to run it on its own anymore.  If a CSD binary
is even available on one of the new gateways, it may be outdated and
possibly nonfunctional.

This patch set also includes fixes for a buffer overflow parsing the
server's HTTP headers, CSD child process error handling, and CSD/stoken
interaction.

BTW: Some of the _() strings were modified here.  What is your preferred
method for handling the "import translations from GNOME" step?  Should
the *.po file updates be rolled into any patch that adds/modifies
translatable strings, or performed as a "batch" later?

Kevin Cernekee (24):
      openssl: Fix missing newline on "Failed to write" error string
      http: Split HTTP redirect and cookie clear logic into helper functions
      http: Fix overflow on HTTP request buffers
      http: Create add_common_headers() to simplify HTTP request code
      auth: Remove obsolete trace message from parse_form()
      auth: Move <auth> node parsing into a separate function
      auth: Introduce new XML helper functions for parse_auth_node()
      auth: Don't forget to free OC_FORM_OPT_STOKEN entries
      auth: Split auth form prompt logic from parsing logic
      auth: Parse the new server response format
      library: Add call to change reported OS name
      Allow setting reported OS from the command line
      auth: Add new XML POST capability
      http: Split GET/POST logic into a helper function
      http: Add new X-* HTTP headers
      http: Record the last redirection type
      csd: Don't return from run_csd_script() in the forked process
      csd: Export some useful environment variables
      http: Rewrite openconnect_obtain_cookie() loop
      Fix a couple of valgrind warnings
      stoken: Fix CSD/stoken interaction
      Document new --os option
      www: Use a more "stable" URL for the libstoken homepage
      www: Update changelog

More information about the openconnect-devel mailing list