Re: OpenConnect 8.08 release
The webview addition sounds really interesting. Certainly would be interested in testing that when something is available. I am curious are these additions planned to land sometime this year? Thanks for all the great work and support. On Mon, Apr 6, 2020 at 5:59 PM David Woodhouse wrote: > > Third release in a week. I'm going to try really hard not to make > another one for a while... although not *too* long because we're > working on the webview support which will improve the authentication > capability and add proper SAML support. We want to work out a stable > interface for that before it makes it into a release though. > > What *is* in this release is a fix for case sensitivity of pin-sha256 > hashes in the --servercert option, a fix for a crash when OIDC mode was > select but no token provided, and some more improvements to the CSD > trojan handling when there's no stderr. > > ftp://ftp.infradead.org/pub/openconnect/openconnect-8.08.tar.gz > ftp://ftp.infradead.org/pub/openconnect/openconnect-8.08.tar.gz.asc > > David Woodhouse (12): > Disable GnuTLS version check for COPR build > Disable GnuTLS version check for CI builds > Make csd-post.sh cope with not being able to write to stdout > Open /dev/null instead of passing non-functional stderr to CSD trojans > Fix matching of pin-sha256: public key hashes to be case-sensitive > Update translations from GNOME > Check for failure opening /dev/null > Fix SEGV on empty OIDC token > Add tests for --servercert matching > Changelog for OIDC NULL fix > Import pending Fedora 31 updates to fix CI > Tag version 8.08 > ___ > openconnect-devel mailing list > openconnect-devel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Trying to connect Pulse Secure VPN: XML response has no "auth" node
On Mon, 2020-04-06 at 21:19 +0200, videoclocknet wrote: > I've tried with 3 different commands, which are: > 1.- openconnect https://vpnserver.com/path -c mycertificate.p12 > --dump-http-traffic - > 2.- openconnect That's trying Cisco AnyConnect (the default). > https://vpnserver.com/dana-na/auth/url_132/login.cgi?realm=SARA3%20Realm > -c mycertificate.p12 --dump-http-traffic - So is that. > 3.- openconnect > https://vpnserver.com/dana-na/auth/url_132/login.cgi?realm=SARA3%20Realm > -c mycertificate.p12 --dump-http-traffic - --protocol=gp And that one is trying GlobalProtect. Try --protocol=pulse or --protocol=nc. smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Trying to connect Pulse Secure VPN: XML response has no "auth" node
Hi! I'm trying to connect to our Pulse Secure VPN through openconnect. Trying different things, but with no success. Here is my Linux version and my openconnect version: casa@casa:~/Downloads/openconnect-8.07$ uname -a Linux casa 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux casa@casa:~/Downloads/openconnect-8.07$ openconnect --version OpenConnect version v8.07 Using OpenSSL 1.0.2n 7 Dec 2017. Features present: TPM (OpenSSL ENGINE not present), HOTP software token, TOTP software token, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse casa@casa:~/Downloads/openconnect-8.07$ I've tried with 3 different commands, which are: 1.- openconnect https://vpnserver.com/path -c mycertificate.p12 --dump-http-traffic - 2.- openconnect https://vpnserver.com/dana-na/auth/url_132/login.cgi?realm=SARA3%20Realm -c mycertificate.p12 --dump-http-traffic - 3.- openconnect https://vpnserver.com/dana-na/auth/url_132/login.cgi?realm=SARA3%20Realm -c mycertificate.p12 --dump-http-traffic - --protocol=gp Here are the output of all 3: casa@casa:~/Downloads/openconnect-8.07$ openconnect https://vpnserver.com/path-c mycertificate.p12 --dump-http-traffic - POST https://vpnserver.com/sara3 Attempting to connect to server 2.3.4.5:443 Connected to 2.3.4.5:443 Using certificate file mycertificate.p12 Enter PKCS#12 pass phrase: Using client certificate '/CN=WHATEVER_CN/serialNumber=WHATEVER/OU=WHATEVER_OU/O=WHATEVER/L=MY_CITY/ST=MY_STATE/C=MY_COUNTRY' SSL negotiation with vpnserver.com Matched peer certificate subject name 'vpnserver.com' Connected to HTTPS on vpnserver.com with ciphersuite TLSv1.2-AES128-GCM-SHA256 > POST /pathHTTP/1.1 > Host: vpnserver.com > User-Agent: Open AnyConnect VPN Agent v8.07 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > X-Pad: 00 > Content-Type: application/xml; charset=utf-8 > Content-Length: 210 > > > who="vpn">v8.07linux-64https://vpnserver.com/path Got HTTP response: HTTP/1.1 302 Found Location: /dana-na/auth/url_132/welcome.cgi Content-Type: text/html; charset=utf-8 Set-Cookie: DSSIGNIN=url_132; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure Set-Cookie: DSSignInURL=/sara3; path=/; secure Connection: close Content-Length: 0 Strict-Transport-Security: max-age=31536000 HTTP body length: (0) GET https://vpnserver.com/path Attempting to connect to server 1.2.3.4:443 Connected to 1.2.3.4:443 SSL negotiation with vpnserver.com Matched peer certificate subject name 'vpnserver.com' Connected to HTTPS on vpnserver.com with ciphersuite TLSv1.2-AES128-GCM-SHA256 > GET /pathHTTP/1.1 > Host: vpnserver.com > User-Agent: Open AnyConnect VPN Agent v8.07 > Cookie: DSSIGNIN=url_132; DSSignInURL=/sara3 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Support-HTTP-Auth: true > X-Pad: > Content-Type: application/x-www-form-urlencoded > Content-Length: 0 > Got HTTP response: HTTP/1.1 302 Found Location: /dana-na/auth/url_132/welcome.cgi Content-Type: text/html; charset=utf-8 Set-Cookie: DSSIGNIN=url_132; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure Set-Cookie: DSSignInURL=/sara3; path=/; secure Connection: close Content-Length: 0 Strict-Transport-Security: max-age=31536000 HTTP body length: (0) GET https://vpnserver.com/dana-na/auth/url_132/welcome.cgi SSL negotiation with vpnserver.com Matched peer certificate subject name 'vpnserver.com' Connected to HTTPS on vpnserver.com with ciphersuite TLSv1.2-AES128-GCM-SHA256 > GET /dana-na/auth/url_132/welcome.cgi HTTP/1.1 > Host: vpnserver.com > User-Agent: Open AnyConnect VPN Agent v8.07 > Cookie: DSSIGNIN=url_132; DSSignInURL=/sara3 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Support-HTTP-Auth: true > X-Pad: > Content-Type: application/x-www-form-urlencoded > Content-Length: 0 > Got HTTP response: HTTP/1.1 302 Moved Date: Mon, 06 Apr 2020 18:42:46 GMT location: /dana-na/auth/url_132/login.cgi?realm=SARA3%20Realm Pragma: no-cache Cache-Control: no-store Expires: -1 Transfer-Encoding: chunked Strict-Transport-Security: max-age=31536000 HTTP body chunked (-2) GET https://vpnserver.com/dana-na/auth/url_132/login.cgi?realm=SARA3%20Realm SSL negotiation with vpnserver.com Matched peer certificate subject name 'vpnserver.com' Connected to HTTPS on vpnserver.com with ciphersuite TLSv1.2-AES128-GCM-SHA256 > GET /dana-na/auth/url_132/login.cgi?realm=SARA3%20Realm HTTP/1.1 > Host: vpnserver.com > User-Agent: Open AnyConnect VPN Agent v8.07 > Cookie: DSSIGNIN=url_132; DSSignInURL=/sara3 > Accept: */* >
Re: GlobalProtect login returned unexpected argument value arg[19]=4
On Sun, Apr 5, 2020 at 11:53 PM Hamish Waterer wrote: > > Hi, > > I just compiled v8.07 from source and noticed the following in the > output when testing. > > GlobalProtect login returned authentication-source=AUTH_PROF_OKTA_SAML_PRD > GlobalProtect login returned unexpected argument value arg[19]=4 > Please report 1 unexpected values above (of which 0 fatal) to > > > > /opt/openconnect/sbin/openconnect --version > OpenConnect version v8.07 > Using GnuTLS 3.4.10. Features present: PKCS#11, RSA software token, > HOTP software token, TOTP software token, System keys, DTLS, ESP > Supported protocols: anyconnect (default), nc, gp, pulse > > Please let me know if you require any further information. Thanks for reporting this! This is the 2nd or 3rd time I've seen a report of this unknown value in this unknown field (https://gitlab.com/openconnect/openconnect/blob/HEAD/auth-globalprotect.c#L260) and… I still don't know what it means :) Your VPN doesn't by any chance support IPv6 when using the official clients, does it? Thanks, Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
OpenConnect 8.08 release
Third release in a week. I'm going to try really hard not to make another one for a while... although not *too* long because we're working on the webview support which will improve the authentication capability and add proper SAML support. We want to work out a stable interface for that before it makes it into a release though. What *is* in this release is a fix for case sensitivity of pin-sha256 hashes in the --servercert option, a fix for a crash when OIDC mode was select but no token provided, and some more improvements to the CSD trojan handling when there's no stderr. ftp://ftp.infradead.org/pub/openconnect/openconnect-8.08.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-8.08.tar.gz.asc David Woodhouse (12): Disable GnuTLS version check for COPR build Disable GnuTLS version check for CI builds Make csd-post.sh cope with not being able to write to stdout Open /dev/null instead of passing non-functional stderr to CSD trojans Fix matching of pin-sha256: public key hashes to be case-sensitive Update translations from GNOME Check for failure opening /dev/null Fix SEGV on empty OIDC token Add tests for --servercert matching Changelog for OIDC NULL fix Import pending Fedora 31 updates to fix CI Tag version 8.08 smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
GlobalProtect login returned unexpected argument value arg[19]=4
Hi, I just compiled v8.07 from source and noticed the following in the output when testing. GlobalProtect login returned authentication-source=AUTH_PROF_OKTA_SAML_PRD GlobalProtect login returned unexpected argument value arg[19]=4 Please report 1 unexpected values above (of which 0 fatal) to > /opt/openconnect/sbin/openconnect --version OpenConnect version v8.07 Using GnuTLS 3.4.10. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse Please let me know if you require any further information. Thanks, Hamish ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel