Le 13/01/2011 22:34, David Woodhouse a ?crit : > On Wed, 2011-01-12 at 11:10 +0100, Guillaume Rousse wrote: >> >> Here is my client command line: >> ~/.juniper_networks/network_connect/ncsvc \ >> -h beria.zarb.home \ >> -u rousse \ >> -r smi \ >> -f /etc/pki/tls/certs/localhost.crt > > There's no -m option here. If you look in > ~/.juniper_networks/network_connect/ .log you'll probably see a line > like: > > 20101228160000.207947 ncsvc[p21179.t21179] dsssl.error ive_cert_hash = 6f13afc3c6815ab480b2ddc27406ba4b, computed_hash = ecb77116a55194c4dfba8e9aa0cc862e (DSSSLSock.cpp:761) > > It doesn't like the self-signed cert on your "server". For the above > example log line, you want to add '-m ecb77116a55194c4dfba8e9aa0cc862e' > to your ncsvc invocation. Obviously, yours will differ from mine. > > You *may* need to use the -m option with a dummy argument just to make > it give this log line; I'm not sure. It work better now, thanks. I tried the cut/paste gymnastic between s_server and s_client. Client: GET / HTTP/1.0 Host: portail.saclay.inria.fr Accept: */* Accept-Language: en-us Connection: Keep-Alive User-Agent: DSClient; Linux Content-length: 0 Server: HTTP/1.1 302 Found Location: https://portail.saclay.inria.fr/dana-na/auth/url_default/welcome.cgi Content-Type: text/html; charset=utf-8 Set-Cookie: DSSIGNIN=url_default; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure Set-Cookie: DSSignInURL=/; path=/; secure Connection: close Client: GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0 Host: portail.saclay.inria.fr Accept: */* Accept-Language: en-us Connection: Keep-Alive User-Agent: DSClient; Linux Content-length: 0 Cookie: DSSIGNIN=url_default; DSSignInURL=/; DSIVS= Server: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Tue, 25 Jan 2011 16:50:39 GMT Connection: close Pragma: no-cache Cache-Control: no-store Expires: -1 <html> [a full web page here] </html> Client: ERROR 140007421920936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:338: shutting down SSL CONNECTION CLOSED ACCEPT Beyond the reason of the error, they are two suspicious issues here: 1) is it expected to have the binary acting as a web client, requesting user-targeted web forms ? The submit action of this form triggers a javascript function, and I don't think the binary as an embedded javascript interpreter to work as a robot... 2) the initial client request is wrong, it should be 'GET /smi', due to the usage of -r smi to ncsvc, not 'GET /' (the former leads to the user-targeted service), the second to the admin-targeted service) My setup seems to be unsufficient to correctly work as a traffic proxy. -- BOFH excuse #138: BNC (brain not connected)
