Bug 981911
Summary: | openconnect login failed response | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John L Magee <jlmagee> |
Component: | openconnect | Assignee: | David Woodhouse <dwmw2> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | auroux, calba, cernekee, cesar.alba, dwmw2, jlmagee, negativo17 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openconnect-5.02-1.fc20 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 964329 | Environment: | |
Last Closed: | 2014-01-03 08:30:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John L Magee
2013-07-06 23:03:15 UTC
Oops, just replied in https://bugzilla.redhat.com/show_bug.cgi?id=964329#c37 before looking at this one... Btw, regarding the '-cafile /etc/pki/vapa.crt' on your command line: In F19 you should be able to move that file to /etc/pki/ca-trust/source/anchors, run 'update-ca-trust' and then *every* application should trust the certificates therein. If *anything* in F19 doesn't trust your company's CA after you put it there, you can file a bug. You should never need to use '--cafile' or other manual configuration in individual applications. I think this new issue is actually the same as the one described at http://lists.infradead.org/pipermail/openconnect-devel/2013-June/001079.html ? This is indeed probably an issue with xmlpost. I'm experiencing the issue with wrong auth group selection (using openconnect-5.01-1.fc19.x86_64) -- openconnect attempts to connect to the default authgroup no matter what I specify. Denis Hi, Any update on this? There is a discovery I made yesterday. The .i686 version (openconnect-5.01-1.fc19.i686) is working (some redaction on hostnames done) ----------------------------------------- [root@nomada ~]# openconnect -c /home/calba/GOD/DSN/CAP-20130221.pfx -u calba -v --no-cert-check https://dsn-access.hi.inet/dsn-vendor POST https://dsn-access.hi.inet/dsn-vendor Attempting to connect to server 10.26.204.209:443 Using certificate file /home/calba/GOD/DSN/CAP-20130221.pfx Enter PKCS#12 pass phrase: Using client certificate 'Users' SSL negotiation with dsn-access.hi.inet Server certificate verify failed: certificate does not match hostname Connected to HTTPS on dsn-access.hi.inet Got HTTP response: HTTP/1.0 302 Temporary moved Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Thu, 07 Nov 2013 11:24:09 GMT Location: /+webvpn+/index.html Set-cookie: tg=0dsn-vendor; path=/; secure HTTP body length: (0) GET https://dsn-access.hi.inet/dsn-vendor SSL negotiation with dsn-access.hi.inet Server certificate verify failed: certificate does not match hostname Connected to HTTPS on dsn-access.hi.inet Got HTTP response: HTTP/1.0 302 Temporary moved Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Thu, 07 Nov 2013 11:24:09 GMT Location: /+webvpn+/index.html Set-cookie: tg=0dsn-vendor; path=/; secure HTTP body length: (0) GET https://dsn-access.hi.inet/+webvpn+/index.html SSL negotiation with dsn-access.hi.inet Server certificate verify failed: certificate does not match hostname Connected to HTTPS on dsn-access.hi.inet Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Please enter your username and password. Password: POST https://dsn-access.hi.inet/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&ch:EC89757D6F9620ECA06C67A8C6B31C2BC44FCB86&sh:4E2AED85C8CBC264AB989125D9F4921F6001E4DF&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure Set-Cookie: webvpnx= Set-Cookie: webvpnaac=1; path=/; secure X-Transcend-Version: 1 HTTP body chunked (-2) TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1448, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 10.26.204.121 X-CSTP-Netmask: 255.255.255.224 X-CSTP-DNS: 10.26.205.34 X-CSTP-DNS: 10.26.205.35 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 X-CSTP-Default-Domain: om.dsn.inet X-CSTP-Split-Include: 10.26.232.0/255.255.252.0 X-CSTP-Split-Include: 10.26.231.0/255.255.255.0 X-CSTP-Split-Include: 81.45.59.240/255.255.255.240 X-CSTP-Split-Include: 10.26.204.240/255.255.255.240 X-CSTP-Split-Include: 10.26.204.128/255.255.255.192 X-CSTP-Split-Include: 172.31.192.0/255.255.255.0 X-CSTP-Split-Include: 10.26.204.0/255.255.255.192 X-CSTP-Split-Include: 172.31.0.0/255.255.248.0 X-CSTP-Split-Include: 10.26.205.0/255.255.255.0 X-CSTP-Split-Include: 172.31.128.0/255.255.248.0 X-CSTP-Split-Include: 10.26.204.224/255.255.255.240 X-CSTP-Split-Include: 172.31.64.0/255.255.248.0 X-CSTP-Split-Include: 10.26.236.128/255.255.255.192 X-CSTP-Split-Include: 10.26.202.0/255.255.254.0 X-CSTP-Split-Include: 10.26.236.64/255.255.255.192 X-CSTP-Split-Include: 172.31.96.0/255.255.255.0 X-CSTP-Split-Include: 10.26.236.192/255.255.255.240 X-CSTP-Split-Include: 10.10.26.21/255.255.255.255 X-CSTP-Split-Include: 10.10.26.22/255.255.255.255 X-CSTP-Split-Include: 10.10.26.23/255.255.255.255 X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: false X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-Banner: Welcome%20to%20dSN%20Platform%0A X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: 82BC14802460DB8E6FA9664AE1CA59680C4D2BD9C79B59C8FA67F42D05FC85F9 X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-CSTP-MTU: 1355 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: true X-CSTP-TCP-Keepalive: true CSTP connected. DPD 30, Keepalive 20 Connect Banner: | Welcome to dSN Platform | DTLS option X-DTLS-Session-ID : 82BC14802460DB8E6FA9664AE1CA59680C4D2BD9C79B59C8FA67F42D05FC85F9 DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-CipherSuite : AES128-SHA DTLS initialised. DPD 30, Keepalive 20 Connected tun0 as 10.26.204.121, using SSL No work to do; sleeping for 20000 ms... DTLS handshake timed out DTLS handshake failed: Resource temporarily unavailable, try again. Send CSTP Keepalive No work to do; sleeping for 10000 ms... ----------------------------------------------------------- For 64 bits: [root@prefect ~]# rpm -q openconnect openconnect-5.01-1.fc19.x86_64 -------------------------- Without --no-xmlpost -------------------- [root@prefect ~]# openconnect -c /home/calba/GOD/DEP/dSN1/CAP-20130221.pfx -u calba -v --no-cert-check https://dsn-access.hi.inet/dsn-vendor POST https://dsn-access.hi.inet/dsn-vendor Attempting to connect to server 10.26.204.209:443 Using certificate file /home/calba/GOD/DEP/dSN1/CAP-20130221.pfx Enter PKCS#12 pass phrase: Using client certificate 'Users' SSL negotiation with dsn-access.hi.inet Server certificate verify failed: certificate does not match hostname Connected to HTTPS on dsn-access.hi.inet Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Thu, 07 Nov 2013 11:29:41 GMT X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Password: POST https://dsn-access.hi.inet/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Thu, 07 Nov 2013 11:29:44 GMT X-Aggregate-Auth: 1 HTTP body chunked (-2) Login failed. ... --------------------------------------------------------------- ------------------ with --no-xmlpost -------------------------- [root@prefect ~]# openconnect -c /home/calba/GOD/DEP/dSN1/CAP-20130221.pfx -u calba --no-xmlpost --no-cert-check https://dsn-access.hi.inet/dsn-vendor GET https://dsn-access.hi.inet/dsn-vendor Attempting to connect to server 10.26.204.209:443 Enter PKCS#12 pass phrase: Using client certificate 'Users' SSL negotiation with dsn-access.hi.inet Server certificate verify failed: certificate does not match hostname Connected to HTTPS on dsn-access.hi.inet Got HTTP response: HTTP/1.0 302 Temporary moved GET https://dsn-access.hi.inet/+webvpn+/index.html SSL negotiation with dsn-access.hi.inet Server certificate verify failed: certificate does not match hostname Connected to HTTPS on dsn-access.hi.inet Please enter your username and password. Password: POST https://dsn-access.hi.inet/+webvpn+/index.html Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connect Banner: | Welcome to dSN Platform | Connected tun0 as 10.26.204.121, using SSL ^CSend BYE packet: Client received SIGINT -------------------------------------------------------------- openconnect-5.02-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/openconnect-5.02-1.fc20 openconnect-5.02-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/openconnect-5.02-1.fc19 openconnect-5.02-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. openconnect-5.02-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |