AW: AW: OpenConnect v9.01 - "--protocol=pulse" does not work with TPM2

Schütz Dominik Dominik.Schuetz at esolutions.de
Wed May 4 11:26:15 PDT 2022


Thank you for the guidance :)

I'll try to solve it myself first. I'll get back to you then.

Regards,
Dominik

-----Ursprüngliche Nachricht-----
Von: David Woodhouse <dwmw2 at infradead.org> 
Gesendet: Mittwoch, 4. Mai 2022 19:39
An: Schütz Dominik <Dominik.Schuetz at esolutions.de>; openconnect-devel at lists.infradead.org
Betreff: Re: AW: OpenConnect v9.01 - "--protocol=pulse" does not work with TPM2

On Wed, 2022-05-04 at 16:54 +0000, Schütz Dominik wrote:
> unfortunately I can't send the output of "-vv --dump-http-traffic"
> because it contains company-specific information.

Fair enough, although that obviously makes it difficult to try to help.

Without even seeing the final offending EAP-TTLS (or not?) packet that it didn't like, it's hard to even guess about what's happening.

Note that a public-facing VPN server will be receiving hundreds or more likely thousands of *random* connection attempts per day. To reproduce this and have a chance of helping you, I wouldn't need to get any further than any of those random port scans do — I don't need a username, a password, or a certificate or anything like that; just the IP address that is receiving thousands of stray connections a day.

But OK, if you're not comfortable with that, then take a look at that final packet and see what it is. Is it a *different* EAP type? Have they changed to EAP-TLS or something else? Does it change if you vary the user-agent you advertise (see the comments in the source about the way that changes things).

Those are rhetorical questions, of course, intended to help guide you if you want to try to solve this on your own. I don't *actually* have any real insight into this other than having watched the Windows client attempt to connect through a MITM proxy, and trying to work out what the many levels of nested binary protocols actually were.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6003 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20220504/facb4a22/attachment-0001.p7s>


More information about the openconnect-devel mailing list