Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add --no-http-keepalive option to help work around Cisco incompetence.
We know that certain versions of the ASA software (8.2.2.5 at least) are
buggy and will 'forget' the client's SSL certificate by the time they
receive the second request on a re-used HTTP connection. We have an
unconditional workaround for the case where we _know_ that bug will
trip, in commit 357c85e ("Always close HTTP/1.0 connection...").

Cisco's support staff are completely useless and have failed to give any
competent response to the bug report -- so not only does it look like
they won't fix it, but we don't actually know what under _other_
circumstances this same bug might manifest itself.

This patch adds an option to disable _all_ connection re-use. The
intention is that users can try it out if they encounter problems, then
report to the mailing list that it worked so that we can work out how
to trigger it automatically.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
David Woodhouse authored and David Woodhouse committed Apr 9, 2010
1 parent fe00b0e commit 185f832
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 1 deletion.
2 changes: 1 addition & 1 deletion http.c
Expand Up @@ -290,7 +290,7 @@ static int process_http_response(struct openconnect_info *vpninfo, int *result,
}
}

if (closeconn) {
if (closeconn || vpninfo->no_http_keepalive) {
SSL_free(vpninfo->https_ssl);
vpninfo->https_ssl = NULL;
close(vpninfo->ssl_fd);
Expand Down
7 changes: 7 additions & 0 deletions main.c
Expand Up @@ -95,6 +95,7 @@ static struct option long_options[] = {
{"disable-ipv6", 0, 0, 0x05},
{"no-proxy", 0, 0, 0x06},
{"libproxy", 0, 0, 0x07},
{"no-http-keepalive", 0, 0, 0x08},
{NULL, 0, 0, 0},
};

Expand Down Expand Up @@ -140,6 +141,7 @@ void usage(void)
printf(" --disable-ipv6 Do not ask for IPv6 connectivity\n");
printf(" --dtls-ciphers=LIST OpenSSL ciphers to support for DTLS\n");
printf(" --no-dtls Disable DTLS\n");
printf(" --no-http-keepalive Disable HTTP connection re-use\n");
printf(" --no-passwd Disable password/SecurID authentication\n");
printf(" --passwd-on-stdin Read password from standard input\n");
printf(" --reconnect-timeout Connection retry timeout in seconds\n");
Expand Down Expand Up @@ -327,6 +329,11 @@ int main(int argc, char **argv)
autoproxy = 1;
proxy = NULL;
break;
case 0x08:
fprintf(stderr, "Disabling all HTTP connection re-use due to --no-http-keepalive option.\n"
"If this helps, please report to <openconnect-devel@lists.infradead.org>.\n");
vpninfo->no_http_keepalive = 1;
break;
case 's':
vpninfo->vpnc_script = optarg;
break;
Expand Down
22 changes: 22 additions & 0 deletions openconnect.8
Expand Up @@ -134,6 +134,9 @@ openconnect \- Connect to Cisco AnyConnect VPN
.B --no-dtls
]
[
.B --no-http-keepalive
]
[
.B --no-passwd
]
[
Expand Down Expand Up @@ -298,6 +301,25 @@ Set OpenSSL ciphers to support for DTLS
.B --no-dtls
Disable DTLS
.TP
.B --no-http-keepalive
Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
the client's SSL certificate when HTTP connections are being re-used for
multiple requests. So far, this has only been seen on the initial connection,
where the server gives an HTTP/1.0 redirect response with an explicit
.B Connection: Keep-Alive
directive. OpenConnect as of v2.22 has an unconditional workaround for this,
which is never to obey that directive after an HTTP/1.0 response.

However, Cisco's support team has failed to give any competent
response to the bug report and we don't know under what other
circumstances their bug might manifest itself. So this option exists
to disable ALL re-use of HTTP sessions and cause a new connection to be
made for each request. If your server seems not to be recognising your
certificate, try this option. If it makes a difference, please report
this information to the
.B openconnect-devel@lists.infradead.org
mailing list.
.TP
.B --no-passwd
Never attempt password (or SecurID) authentication
.TP
Expand Down
1 change: 1 addition & 0 deletions openconnect.h
Expand Up @@ -173,6 +173,7 @@ struct openconnect_info {
char *dtls_ciphers;
uid_t uid_csd;
int uid_csd_given;
int no_http_keepalive;

char *cookie;
struct vpn_option *cookies;
Expand Down

0 comments on commit 185f832

Please sign in to comment.