ocserv HEAD with iOS 6.1.2 fails after successful cert auth

Jason Cooper jason at lakedaemon.net
Wed Feb 27 14:47:56 EST 2013 

On Wed, Feb 27, 2013 at 08:32:19PM +0100, Nikos Mavrogiannopoulos wrote:
> On 02/27/2013 08:04 PM, Jason Cooper wrote:
> 
> > Nikos,
> > 
> > I'm attempting to get the Cisco AnyConnect client to create tunnel to
> > the server.  For testing, I disabled user authentication (there is only
> > one cert in this CA).  My --debug log is below.  I added a an fprintf
> > into the do..while loop in tls_read().  It looks like the client is
> > closing the stream.
> > 
> > Before I go wandering down the wrong path, can you check my attached
> > config to make sure I'm not missing anything simple?
> 
> 
> I don't think you're missing anything. This server was designed to
> provide whatever openconnect was using. It could be that the anyconnect
> client is more picky. Does this client have a debug mode, or does it
> output anything helpful?

I get "Banner Success", then a split second later, "The VPN client failed
to establish a connection."  No debug mode, sorry.

> I'm wondering whether that client asks for any HTTP urls resources that
> aren't supported. Could you try debugging using the current head?

Sure, btw I'm getting a build error with latest head, building the
manpage.  I'll look into it later.  Would like to get it working first.

Here's the logs with --tls-debug:

ocserv[16819]: [X.X.X.116]:54382 HTTP: User-Agent: AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 3.0.09115
ocserv[16819]: [X.X.X.116]:54382 HTTP: Host: lakedaemon.net
ocserv[16819]: [X.X.X.116]:54382 HTTP: Accept: */*
ocserv[16819]: [X.X.X.116]:54382 HTTP: Accept-Encoding: identity
ocserv[16819]: [X.X.X.116]:54382 HTTP: X-Transcend-Version: 1
ocserv[16819]: [X.X.X.116]:54382 HTTP: X-Transcend-Version: 1
ocserv[16819]: [X.X.X.116]:54382 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09115
ocserv[16819]: [X.X.X.116]:54382 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
ocserv[16819]: [X.X.X.116]:54382 HTTP: X-AnyConnect-Identifier-PlatformVersion: 6.1.2
ocserv[16819]: [X.X.X.116]:54382 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone4,1
ocserv[16819]: [X.X.X.116]:54382 HTTP: X-AnyConnect-Identifier-Device-UniqueID: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
ocserv[16819]: [X.X.X.116]:54382 HTTP: X-Aggregate-Auth: 1
ocserv[16819]: [X.X.X.116]:54382 HTTP: Connection: close
ocserv[16819]: [X.X.X.116]:54382 HTTP: Content-Length: 320
ocserv[16819]: [X.X.X.116]:54382 HTTP: Content-Type: application/x-www-form-urlencoded
ocserv[16819]: [X.X.X.116]:54382 sending authentication request
ocserv[16816]: [main] assigning tun device vpn0
ocserv[16816]: [X.X.X.116]:54382 user 'C=US,O=Home,CN=jason_iphone' of group '[unknown]' authenticated
ocserv[16819]: [X.X.X.116]:54382 User 'C=US,O=Home,CN=jason_iphone' logged in
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Preparing Packet Application Data(23) with length: 17 and target length: 17
ocserv[16819]: TLS[<9>]: ENC[0x56f48]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Sent Packet[2] Application Data(23) in epoch 1 and length: 42
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Preparing Packet Application Data(23) with length: 24 and target length: 24
ocserv[16819]: TLS[<9>]: ENC[0x56f48]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Sent Packet[3] Application Data(23) in epoch 1 and length: 49
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Preparing Packet Application Data(23) with length: 20 and target length: 20
ocserv[16819]: TLS[<9>]: ENC[0x56f48]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Sent Packet[4] Application Data(23) in epoch 1 and length: 45
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Preparing Packet Application Data(23) with length: 24 and target length: 24
ocserv[16819]: TLS[<9>]: ENC[0x56f48]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Sent Packet[5] Application Data(23) in epoch 1 and length: 49
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Preparing Packet Application Data(23) with length: 100 and target length: 100
ocserv[16819]: TLS[<9>]: ENC[0x56f48]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Sent Packet[6] Application Data(23) in epoch 1 and length: 125
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Preparing Packet Application Data(23) with length: 98 and target length: 98
ocserv[16819]: TLS[<9>]: ENC[0x56f48]: cipher: ARCFOUR-128, MAC: SHA1, Epoch: 1
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Sent Packet[7] Application Data(23) in epoch 1 and length: 123
ocserv[16819]: TLS[<4>]: REC[0x56f48]: SSL 3.1 Alert packet received. Epoch 0, length: 22
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Expected Packet Application Data(23)
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Received Packet Alert(21) with length: 22
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Decrypted Packet[2] Alert(21) with length: 2
ocserv[16819]: TLS[<4>]: REC[0x56f48]: Alert[1|0] - Close notify - was received
ocserv[16819]: TLS[<2>]: ASSERT: gnutls_record.c:1160
gnutls_record_recv returned 0
ocserv[16819]: [X.X.X.116]:54382 error receiving client data (0)


thx,

Jason.

More information about the openconnect-devel mailing list