Determining webvpn cookie lifetime?
Daniel Lenski
dlenski at gmail.com
Mon Dec 28 11:24:52 PST 2015
On Tue, Dec 22, 2015 at 12:05 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Tue, 2015-12-22 at 00:33 +0000, Daniel Lenski wrote:
>>
>> However, if I use one process to get the webvpn cookie, and another
>> process to feed the cookie to the gateway, it is rejected, even if
>> the cookie is used IMMEDIATELY:
>>
>> $ echo -n password \
>> | openconnect gateway.com -u USER --passwd-on-stdin --cookie-only \
>> | openconnect gateway.com --cookie-on-stdin --dump-http-traffic
>>
>> Is there some other piece of "state" which is preserved within each
>> openconnect process, which changes when I try to use the cookie from
>> another process?
>
> No, there really shouldn't be anything. Certainly nothing deliberate.
> The requests should be identical.
>
> If you compare the requests with --dump-http-traffic can you see any
> differences? Also use tcpdump to capture the traffic on the wire, and
> we'll see if there's any unexpected difference in the TLS negotiation.
> When your single process repeats the connection, is it coming from the
> same local port number?
I took a look with Wireshark and the local port number is NOT the same
between the two connections (first, to authenticate and get the
cookie, second, to actually start the VPN).
What actually seems to be happening here is that this gateway requires
the cookie-using connection to have started AFTER the
cookie-generating connection. If I change the above formulation from a
pipe to a sequential invocation of the two processes, now it does
work. This is the most ornery, difficult VPN I've ever encountered, so
I guess this is not so surprising. :-(
# This doesn't work
$ echo -n password \
| openconnect gateway.com -u USER --passwd-on-stdin --cookieonly \
| openconnect gateway.com --cookie-on-stdin --dump-http-traffic
# This does work
$ WEBVPN_COOKIE=$(echo -n password | openconnect gateway.com -u USER
--passwd-on-stdin --cookieonly) \
&& openconnect gateway.com -C $WEBVPN_COOKIE --dump-http-traffic
Thanks,
Dan
More information about the openconnect-devel
mailing list