Newer AnyConnect installations may have compatibility issues with
OpenConnect for several reasons:
1) The gateway may look for new HTTP headers that are currently
missing (but recent versions of the AnyConnect client do send them).
2) The gateway can be configured to check those headers for
information like the client's host OS, and deny access if it doesn't
say e.g. "Windows."
3) They expect the auth POST data to be in XML format, rather than
just a urlencoded query string. Gateway-side support for the old
urlencoded format may be buggy, restricted by policy, or missing
altogether.
4) They expect other information in the POST data (like copying an
"opaque" field from the auth request). Some of this information is
used for things like aborting the VPN connection if the server
configuration has changed since the form was first rendered.
5) CSD/Hostscan looks like it is more closely integrated with vpnui/vpn
now. The gateway no longer provides a valid URL to the trojan binary,
and it isn't clear how to run it on its own anymore. If a CSD binary
is even available on one of the new gateways, it may be outdated and
possibly nonfunctional.
This patch set also includes fixes for a buffer overflow parsing the
server's HTTP headers, CSD child process error handling, and CSD/stoken
interaction.
BTW: Some of the _() strings were modified here. What is your preferred
method for handling the "import translations from GNOME" step? Should
the *.po file updates be rolled into any patch that adds/modifies
translatable strings, or performed as a "batch" later?
Kevin Cernekee (24):
openssl: Fix missing newline on "Failed to write" error string
http: Split HTTP redirect and cookie clear logic into helper functions
http: Fix overflow on HTTP request buffers
http: Create add_common_headers() to simplify HTTP request code
auth: Remove obsolete trace message from parse_form()
auth: Move <auth> node parsing into a separate function
auth: Introduce new XML helper functions for parse_auth_node()
auth: Don't forget to free OC_FORM_OPT_STOKEN entries
auth: Split auth form prompt logic from parsing logic
auth: Parse the new server response format
library: Add call to change reported OS name
Allow setting reported OS from the command line
auth: Add new XML POST capability
http: Split GET/POST logic into a helper function
http: Add new X-* HTTP headers
http: Record the last redirection type
csd: Don't return from run_csd_script() in the forked process
csd: Export some useful environment variables
http: Rewrite openconnect_obtain_cookie() loop
Fix a couple of valgrind warnings
stoken: Fix CSD/stoken interaction
Document new --os option
www: Use a more "stable" URL for the libstoken homepage
www: Update changelog
