openconnect and no-xmlpost parameter

Sérgio Durand linux at durand.eti.br
Thu Sep 24 08:51:17 PDT 2015


Hi !

I'm adding more information about my previous email. (the --no-xmlpost need).

Here are the output using --no-xmlpost (works) and without using it (fails):

# openconnect --no-xmlpost --cafile=ca-bundle.pem
--csd-wrapper=ohsd.py --certificate=user.pem --sslkey=user.key
https://sasvpn01.pok.ibm.com
GET https://sasvpn01.pok.ibm.com/
Connected to 129.33.252.51:443
Using client certificate 'Sergio Henrique Moraes Durand'
SSL negotiation with sasvpn01.pok.ibm.com
Connected to HTTPS on sasvpn01.pok.ibm.com
Got HTTP response: HTTP/1.0 302 Temporary moved
GET https://sasvpn01.pok.ibm.com/+webvpn+/index.html
SSL negotiation with sasvpn01.pok.ibm.com
Connected to HTTPS on sasvpn01.pok.ibm.com
GET https://sasvpn01.pok.ibm.com/CACHE/sdesktop/install/binaries/sfinst
SSL negotiation with sasvpn01.pok.ibm.com
Connected to HTTPS on sasvpn01.pok.ibm.com
GET https://sasvpn01.pok.ibm.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://sasvpn01.pok.ibm.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with sasvpn01.pok.ibm.com
Open Honor System Desktop: gateway ACCEPTED our response
Connected to HTTPS on sasvpn01.pok.ibm.com
Got HTTP response: HTTP/1.1 302 Moved Temporarily
GET https://sasvpn01.pok.ibm.com/+webvpn+/index.html
SSL negotiation with sasvpn01.pok.ibm.com
Connected to HTTPS on sasvpn01.pok.ibm.com
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 9.80.201.86, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).


# openconnect --cafile=ca-bundle.pem --csd-wrapper=ohsd.py
--certificate=user.pem --sslkey=user.key https://sasvpn01.pok.ibm.com
POST https://sasvpn01.pok.ibm.com/
Connected to 129.33.252.51:443
Using client certificate 'Sergio Henrique Moraes Durand'
SSL negotiation with sasvpn01.pok.ibm.com
Connected to HTTPS on sasvpn01.pok.ibm.com
POST https://sasvpn01.pok.ibm.com/
SSL negotiation with sasvpn01.pok.ibm.com
Connected to HTTPS on sasvpn01.pok.ibm.com
XML POST enabled
GET https://sasvpn01.pok.ibm.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://sasvpn01.pok.ibm.com/+CSCOE+/sdesktop/wait.html
Open Honor System Desktop: gateway ACCEPTED our response
SSL negotiation with sasvpn01.pok.ibm.com
Connected to HTTPS on sasvpn01.pok.ibm.com
Got HTTP response: HTTP/1.1 302 Moved Temporarily
POST https://sasvpn01.pok.ibm.com/
SSL negotiation with sasvpn01.pok.ibm.com
Connected to HTTPS on sasvpn01.pok.ibm.com
Failed to obtain WebVPN cookie

Thanks !
Sergio H. M. Durand

On Tue, Sep 15, 2015 at 11:57 PM, Sérgio Durand <linux at durand.eti.br> wrote:
> Hi !
>
> I'm trying to connect to our corporate VPN but it only works using
> --no-xmlpost parameter.
> My tests with openconnect 7.06 fails if I don't use --no-xmlpost
> ("Failed to obtain WebVPN cookie").
> I also tried the latest commit available in GIT, same problem.
>
> It stop working after openconnect 5.03.
> OC 5.03 works fine without --no-xmlpost.
> In fact, reading the code I see that it first tries to use xmlpost,
> then fails, but automatically it tries again setting vpninfo->xmlpost
> to 0, then work.
>
> In openconnect manual page there is a mention if --no-xmlpost is
> needed it is because there is a bug.
> So, here we are :)
>
> Before write this mail I tried to identify what could be going wrong.
> I have debugged the cstp_obtain_cookie() function of auth.c file.
>
> I believe the problem could be there.
> More specifically in the Step 2 block.
> BTW, there is no Step 3 in the source code. It jumps to Step 4 :)
>
> Any suggestion what could be my next steps ?
>
> Thanks !
> Sergio H. M. Durand



More information about the openconnect-devel mailing list