Am 18.02.2013 11:32, schrieb David Woodhouse: > On Mon, 2013-02-18 at 10:48 +0100, Michael Helmling wrote: >> Thank you, the issue does not occur with openconnect-4.99, but it does >> in 4.08. >> In the debug output of 4.08 the line >> "DTLS option X-DTLS-MTU : 1418" >> appears while with 4.99 the correct value 1330 appears there. I guess >> that's the point. So the issue will be fixed with the next release version? > Hm, I didn't think we'd done anything that would *fix* that between 4.08 > and 4.99; I'd like to make sure I fully understand what's going on and > make sure it's really fixed and will *remain* fixed. > > Please could I see the full debug output of 4.99 when you connect with > the '-v' option on the command line? And also 4.08, preferably. Thanks. > The logs are attached. I also get with both versions 4.08 and 4.99 this certificate warning which does not happen under 4.07, while I believe that the SSL certificate is in fact valid. But that seems a different story. :-) -------------- next part -------------- $ sudo ./openconnect -v -u xxx at rhrk.uni-kl.de --authgroup=Split_Tunnel vpn.uni-kl.de Attempting to connect to server 131.246.118.6:443 SSL negotiation with 131.246.118.6 No match for altname 'vpn.uni-kl.de' No altname in peer cert matched '131.246.118.6' Server certificate verify failed: certificate does not match hostname Certificate from VPN server "131.246.118.6" failed verification. Reason: certificate does not match hostname Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on 131.246.118.6 GET https://131.246.118.6/ Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Mon, 18 Feb 2013 11:39:00 GMT Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) SSL negotiation with 131.246.118.6 No match for altname 'vpn.uni-kl.de' No altname in peer cert matched '131.246.118.6' Server certificate verify failed: certificate does not match hostname Connected to HTTPS on 131.246.118.6 GET https://131.246.118.6/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Fixed options give Please enter your username and password. Password: POST https://131.246.118.6/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:2385B92C063FA8B84D433871088D2AAD9400B2E9&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2FTU-KL_all.xml&fh:A032E3D143CA182D0C849DEC2855B0635818FC31; path=/; secure Set-Cookie: webvpnx= Set-Cookie: webvpnaac=1; path=/; secure X-Transcend-Version: 1 HTTP body chunked (-2) TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1448, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 131.246.83.45 X-CSTP-Netmask: 255.255.252.0 X-CSTP-Address: 2001:638:208:fd4d::101a X-CSTP-Netmask: 2001:638:208:fd4d::101a/64 X-CSTP-DNS: 131.246.9.116 X-CSTP-DNS: 131.246.1.116 X-CSTP-NBNS: 131.246.121.11 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 X-CSTP-Default-Domain: triple-a.uni-kl.de X-CSTP-Split-Include: 131.246.0.0/255.255.0.0 X-CSTP-Split-Include: 192.68.165.0/255.255.255.0 X-CSTP-Split-Include: 192.68.166.0/255.255.254.0 X-CSTP-Split-Include: 192.68.168.0/255.255.254.0 X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: false X-CSTP-Rekey-Time: 1800 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: 20377D0F362FC423A24FB579A4F9B3888FA0D1ECD767C666F08FCDE74B778AFC X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-DTLS-Rekey-Time: 1800 X-CSTP-MTU: 1331 X-DTLS-MTU: 1418 X-DTLS-CipherSuite: AES256-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-TCP-Keepalive: true CSTP connected. DPD 30, Keepalive 20 DTLS option X-DTLS-Session-ID : 20377D0F362FC423A24FB579A4F9B3888FA0D1ECD767C666F08FCDE74B778AFC DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-Rekey-Time : 1800 DTLS option X-DTLS-MTU : 1418 DTLS option X-DTLS-CipherSuite : AES256-SHA DTLS connected. DPD 30, Keepalive 20 Connected tun0 as xxx.xxx.xxx.xxx + 2001:xxxxxx, using SSL No work to do; sleeping for 20000 ms... Sending uncompressed data packet of 80 bytes No work to do; sleeping for 16000 ms... Sending uncompressed data packet of 80 bytes No work to do; sleeping for 20000 ms... Sending uncompressed data packet of 80 bytes No work to do; sleeping for 20000 ms... Sending uncompressed data packet of 80 bytes No work to do; sleeping for 20000 ms... Sending uncompressed data packet of 59 bytes Sending uncompressed data packet of 59 bytes No work to do; sleeping for 20000 ms... Received uncompressed data packet of 110 bytes Received uncompressed data packet of 145 bytes No work to do; sleeping for 20000 ms... Received uncompressed data packet of 72 bytes Sending uncompressed data packet of 60 bytes No work to do; sleeping for 20000 ms... Received uncompressed data packet of 80 bytes Sending uncompressed data packet of 72 bytes No work to do; sleeping for 20000 ms... Received uncompressed data packet of 80 bytes Sending uncompressed data packet of 72 bytes No work to do; sleeping for 20000 ms... Received uncompressed data packet of 80 bytes -------------- next part -------------- $ sudo ./openconnect -v -u xxx at rhrk.uni-kl.de --authgroup=Split_Tunnel vpn.uni-kl.de Attempting to connect to server 131.246.118.6:443 SSL negotiation with 131.246.118.6 No match for altname 'vpn.uni-kl.de' No altname in peer cert matched '131.246.118.6' Server certificate verify failed: certificate does not match hostname Certificate from VPN server "131.246.118.6" failed verification. Reason: certificate does not match hostname Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on 131.246.118.6 POST https://131.246.118.6/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 18 Feb 2013 11:45:28 GMT X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Password: POST https://131.246.118.6/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 18 Feb 2013 11:45:31 GMT X-Aggregate-Auth: 1 HTTP body chunked (-2) TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1448, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 131.246.83.79 X-CSTP-Netmask: 255.255.252.0 X-CSTP-Address: 2001:638:208:fd4d::1071 X-CSTP-Netmask: 2001:638:208:fd4d::1071/64 X-CSTP-DNS: 131.246.9.116 X-CSTP-DNS: 131.246.1.116 X-CSTP-NBNS: 131.246.121.11 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 X-CSTP-Default-Domain: triple-a.uni-kl.de X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: false X-CSTP-Rekey-Time: 1800 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: F0D6308AB9B440133B0AE70497125937B40B9631C5264AF185DF0D7BF82BFF5E X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-DTLS-Rekey-Time: 1800 X-CSTP-MTU: 1330 X-DTLS-MTU: 1330 X-DTLS-CipherSuite: AES256-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-TCP-Keepalive: true X-CSTP-Post-Auth-XML: <?xml version="1.0" encoding="UTF-8"?><config-auth client="vpn" type="complete"><version who="sg">9.1(1)</version><session-id>267235328</session-id><session-token>1401035405 at 267235328@1361187931 at FF8A2667E3D594D74FD2B8257133B5CE0BFC10DB</session-token><auth id="success"><message id="0" param1="" param2=""></message></auth><config client="vpn" type="private"><vpn-base-config><base-package-uri>/CACHE/stc/7</base-package-uri><server-cert-hash>2385B92C063FA8B84D433871088D2AAD9400B2E9</server-cert-hash></vpn-base-config><opaque is-for="vpn-client"><service-profile-manifest><ServiceProfiles rev="1.0"> <Profile service-type="user"> <FileName></FileName> <FileExtension>xml</FileExtension> <Directory></Directory> <DeployDirectory></DeployDirectory> <Description>AnyConnect VPN Profile</Description> <DownloadRemoveEmpty>false</DownloadRemoveEmpty> </Profile> <Profile service-type="nam"> <FileName>configuration.xml</FileName> <FileExtension>nsp</FileExtension> <Directory>Network Access Manager\system</Directory> <DeployDirectory>Network Access Manager\newConfigFiles</DeployDirectory> <Description>NAM Service Profile</Description> <DownloadRemoveEmpty>false</DownloadRemoveEmpty> </Profile> <Profile service-type="feedback"> <FileName>CustomerExperience_Feedback.xml</FileName> <FileExtension>fsp</FileExtension> <Directory>CustomerExperienceFeedback</Directory> <DeployDirectory>CustomerExperienceFeedback</DeployDirectory> <Description>Feedback Service Profile</Description> <DownloadRemoveEmpty>false</DownloadRemoveEmpty> </Profile> <Profile service-type="telemetry"> <FileName>Telemetry_ServiceProfile.xml</FileName> <FileExtension>tsp</FileExtension> <Directory>Telemetry</Directory> <DeployDirectory>Telemetry</DeployDirectory> <Description>Telemetry Service Profile</Description> <DownloadRemoveEmpty>false</DownloadRemoveEmpty> </Profile> <Profile service-type="websecurity"> <FileName>WebSecurity_ServiceProfile.wso</FileName> <FileExtension>wsp</FileExtension> <DerivedFileExtension>wso</DerivedFileExtension> <Directory>websecurity</Directory> <DeployDirectory>websecurity</DeployDirectory> <Description>Web Security Service Profile</Description> <DownloadRemoveEmpty>false</DownloadRemoveEmpty> </Profile></ServiceProfiles></service-profile-manifest><vpn-client-pkg-version><pkgversion>3,1,02026</pkgversion></vpn-client-pkg-version><vpn-core-manifest><vpn rev="1.0"> <file version="3.1.02026" id="VPNCore" is_core="yes" type="script" action="install"> <uri>binaries/vpnsetup.sh</uri> <display-name>AnyConnect Secure Mobility Client</display-name> </file> <file version="3.1.02026" id="DART" is_core="no" type="script" action="install" module="dart"> <uri>binaries/dartsetup.sh</uri> <display-name>AnyConnect DART</display-name> </file> <file version="3.1.02026" id="Posture" is_core="no" type="script" action="install" module="posture"> <uri>binaries/posturesetup.sh</uri> <display-name>AnyConnect Posture</display-name> </file></vpn></vpn-core-manifest><custom-attr></custom-attr></opaque><vpn-profile-manifest><vpn rev="1.0"><file type="profile" service-type="user"><uri>/CACHE/stc/profiles/TU-KL_all.xml</uri><hash type="sha1">A032E3D143CA182D0C849DEC2855B0635818FC31</hash></file></vpn></vpn-profile-manifest></config></config-auth> CSTP connected. DPD 30, Keepalive 20 DTLS option X-DTLS-Session-ID : F0D6308AB9B440133B0AE70497125937B40B9631C5264AF185DF0D7BF82BFF5E DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-Rekey-Time : 1800 DTLS option X-DTLS-MTU : 1330 DTLS option X-DTLS-CipherSuite : AES256-SHA DTLS connected. DPD 30, Keepalive 20 Connected tun0 as 131.xxx.xxx.xxx + 2001:xxxxx, using SSL No work to do; sleeping for 20000 ms... Sending uncompressed data packet of 159 bytes No work to do; sleeping for 19000 ms... Sending uncompressed data packet of 76 bytes -------------- next part -------------- A non-text attachment was scrubbed... Name: helmling.vcf Type: text/x-vcard Size: 365 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130218/538a858e/attachment-0001.vcf>
