Can't connect with DTLS, using SSL instead
Abdulla Bubshait
darkstego at gmail.com
Thu Sep 28 10:51:21 PDT 2017
> It appears from your log that the server is not sending any
> information to the client about how to connect with DTLS; there are no
> X-DTLS-* response headers.
That is what I noticed as well. I could not find any DTLS response and
checking the code
path, an empty vpninfo->dtls_options would give the same non-descript
fail message I am
getting. I do not know if a DTLS channel is ever negotiated.
> The log you sent only includes the headers in the *server response* to
> the CONNECT.
>
> Can you include more of the log, including the headers *sent by
> openconnect* along with the CONNECT request?
>
I am unsure how to get any more log messages. I am already running with -vvvv
I don't know if the headers sent by openconnect are logged to vpn_progress
But I have attached below all the logs prior to the server response.
In addition the
version of openconnect (running on arch)
$ openconnect -V
OpenConnect version v7.08
Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP
software token, Yubikey OATH, System keys, DTLS
$ sudo openconnect -u user --servercert sha256:cert.... -vvvv
company.com :
POST https://company.com/
Attempting to connect to server ip:443
Connected to ip:443
SSL negotiation with company.com
Server certificate verify failed: signer not found
Connected to HTTPS on company.com
Got HTTP response: HTTP/1.1 303 See Other
Content-Type: text/html
Content-Length: 0
Location: https://company.com:443/webvpn.html
Set-Cookie: webvpncontext=00 at MainVPNContext; path=/; Secure
Connection: Keep-Alive
HTTP body length: (0)
GET https://company.com/
Attempting to connect to server ip:443
Connected to ip:443
SSL negotiation with company.com
Server certificate verify failed: signer not found
Connected to HTTPS on company.com
Got HTTP response: HTTP/1.1 303 See Other
Content-Type: text/html
Content-Length: 0
Location: https://company.com:443/webvpn.html
Set-Cookie: webvpncontext=00 at MainVPNContext; path=/; Secure
Connection: Keep-Alive
HTTP body length: (0)
GET https://company.com.sa/webvpn.html
Got HTTP response: HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/html
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
Set-Cookie: webvpncontext=00 at MainVPNContext; path=/; Secure
X-Transcend-Version: 1
Content-Length: 473
Connection: close
HTTP body length: (473)
Please enter your username and password.
PASSWORD:
POST https://company.com/webvpn.html
SSL negotiation with company.com
Server certificate verify failed: signer not found
Connected to HTTPS on company.com
Got HTTP response: HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/html
Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT;
path=/; Secure
Set-Cookie: webvpn=<elided>; path=/; Secure
Set-Cookie: webvpnc=p:t&bu:/CACHE/webvpn/stc/&iu:1/&sh:8AEED847FECA7681FDE9A33D5B0BAB39D86C3&;
path=/; Secure
X-Transcend-Version: 1
Content-Length: 130
Connection: Keep-Alive
HTTP body length: (130)
TCP_INFO rcv mss 536, snd mss 536, adv mss 1460, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.200.200.175
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Keep: true
X-CSTP-DNS: 10.200.200.11
X-CSTP-Lease-Duration: 43200
X-CSTP-MTU: 1406
X-CSTP-Default-Domain: company.com
X-CSTP-Split-Include: 10.200.200.0/255.255.255.0
X-CSTP-Split-Include: 10.200.0.0/255.255.0.0
X-CSTP-Rekey-Time: 3600
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 300
X-CSTP-Disconnected-Timeout: 2100
X-CSTP-Idle-Timeout: 2100
X-CSTP-Session-Timeout: 0
X-CSTP-Keepalive: 30
CSTP connected. DPD 300, Keepalive 30
CSTP Ciphersuite: (TLS1.0)-(RSA)-(AES-256-CBC)-(SHA1)
Set up DTLS failed; using SSL instead
Connected as 10.200.200.175, using SSL
More information about the openconnect-devel
mailing list