Thanks for adding the --no-xmlpost flag in 5.01, I've been unable to use newer versions since 4.99 added XML POST support. Now, using 5.01 I can connect just fine again as long as I use the --no-xmlpost argument. First, just like the token (Set-Cookie: webvpn) is stripped in log output, I'd strongly suggest that the password value in the XML POST content be masked out using a default string instead of including the literal password. Also, the password is included in plaintext in the HTML URL encoded content which should likewise be masked. To me, verbose and dump traffic still shouldn't expose the password unless I really say --show-plaintext-passwords or similar for the corner case where a developer doesn't think the password is being read or encoded properly. For the XML POST processing, it looks like it's not properly (fully?) processing the --authgroup parameter to use the selected group (as long as it's returned in the list as being available). Instead of blindly using the tunnel-group and group-alias offered initially, it should use what is specified. I'm not familiar with the details and differences between the <group-select> and <tunnel-group>, but this looks quite suspicious. Another interesting note is that the HTML version includes a value="name" with a friendly name for the option content, but the XML offering doesn't seem to include that, e.g. SecureGroupC appears in the HTML version but not at all in the XML one. In the HTML response, the content references the friendly name (SecureGroupC) instead of the name contained within the element body (GROUPC_VPN). Listed in-line below are (heavily edited) traces of connection attempts with and without the argument. Thanks for all your work to create and maintain openconnect! Joel **************** *** XML Post *** **************** $ sudo openconnect vpn.example.org --verbose --dump-http-traffic --authgroup GROUPC_VPN -u username at example.org POST https://vpn.example.org/ Attempting to connect to server 192.168.100.254:443 SSL negotiation with vpn.example.org Connected to HTTPS on vpn.example.org > POST / HTTP/1.1 > Host: vpn.example.org > User-Agent: Open AnyConnect VPN Agent v5.01 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > Content-Type: application/x-www-form-urlencoded > Content-Length: 208 > > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="init"><version > who="vpn">v5.01</version><device-id>linux-64</device-id><group-access>https://vpn.example.org</group-access></config-auth> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Thu, 13 Jun 2013 00:00:00 GMT X-Aggregate-Auth: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <config-auth client="vpn" type="auth-request"> < <version who="sg">9.1(1)</version> < <opaque is-for="sg"> < <tunnel-group>GROUPA</tunnel-group> < <group-alias>GROUPA_VPN</group-alias> < <config-hash>1234567890000</config-hash> < </opaque> < <auth id="main"> < <title>Login</title> < <message>Please enter your username and password.</message> < <banner></banner> < <form> < <input type="text" name="username" label="Username:"></input> < <input type="password" name="password" label="Password:"></input> < <select name="group_list" label="GROUP:"> < <option selected="true">GROUPA_VPN</option> < <option>GROUPB_VPN</option> < <option>GROUPC_VPN</option> < <option>GROUPD_VPN</option> < </select> < </form> < </auth> < </config-auth> XML POST enabled Please enter your username and password. Password: POST https://vpn.example.org/ > POST / HTTP/1.1 > Host: vpn.example.org > User-Agent: Open AnyConnect VPN Agent v5.01 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > Content-Type: application/x-www-form-urlencoded > Content-Length: 430 > > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="auth-reply"><version > who="vpn">v5.01</version><device-id>linux-64</device-id><opaque > is-for="sg"> > <tunnel-group>GROUPA</tunnel-group> > <group-alias>GROUPA_VPN</group-alias> > <config-hash>1234567890000</config-hash> > </opaque><auth><username>username at example.org</username><password>PaSsWoRd</password></auth><group-select>GROUPC_VPN</group-select></config-auth> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Thu, 13 Jun 2013 00:00:00 GMT X-Aggregate-Auth: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <config-auth client="vpn" type="auth-request"> < <version who="sg">9.1(1)</version> < <opaque is-for="sg"> < <tunnel-group>GROUPA</tunnel-group> < <group-alias>GROUPA_VPN</group-alias> < <config-hash>1234567890000</config-hash> < </opaque> < <auth id="main"> < <title>Login</title> < <message>Please enter your username and password.</message> < <banner></banner> < <error id="15" param1="" param2="">Login failed.</error> < <form> < <input type="text" name="username" label="Username:"></input> < <input type="password" name="password" label="Password:"></input> < <select name="group_list" label="GROUP:"> < <option selected="true">GROUPA_VPN</option> < <option>GROUPB_VPN</option> < <option>GROUPC_VPN</option> < <option>GROUPD_VPN</option> < </select> < </form> < </auth> < </config-auth> Login failed. ******************* *** No XML Post *** ******************* $ sudo openconnect vpn.example.org --verbose --dump-http-traffic --no-xmlpost --authgroup GROUPC_VPN -u username at example.org GET https://vpn.example.org/ Attempting to connect to server 192.168.100.254:443 SSL negotiation with vpn.example.org Connected to HTTPS on vpn.example.org > GET / HTTP/1.1 > Host: vpn.example.org > User-Agent: Open AnyConnect VPN Agent v5.01 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Thu, 13 Jun 2013 00:00:00 GMT Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure HTTP body length: (0) GET https://vpn.example.org/+webvpn+/index.html SSL negotiation with vpn.example.org Connected to HTTPS on vpn.example.org > GET /+webvpn+/index.html HTTP/1.1 > Host: vpn.example.org > User-Agent: Open AnyConnect VPN Agent v5.01 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <auth id="main"> < <title>SSL VPN Service</title> < <ca status="disabled" href="/+CSCOCA+/login.html" /> < < < < <banner></banner> < <message>Please enter your username and password.</message> < < < <form method="post" action="/+webvpn+/index.html"> < < <input type="text" name="username" label="Username:" /> < <input type="password" name="password" label="Password:" /> < < < <select name="group_list" label="GROUP:"> < <option value="GROUPA" noaaa="0" >GROUPA_VPN</option><option value="GROUPB_VPN" noaaa="0" >GROUPB_VPN</option><option value="SecureGroupC" noaaa="0" >GROUPC_VPN</option><option value="GROUPD_VPN" noaaa="0" >GROUPD_VPN</option></select> < < <input type="submit" name="Login" value="Login" /> < <input type="reset" name="Clear" value="Clear" /> < < < </form> < </auth> < Please enter your username and password. Password: POST https://vpn.example.org/+webvpn+/index.html > POST /+webvpn+/index.html HTTP/1.1 > Host: vpn.example.org > User-Agent: Open AnyConnect VPN Agent v5.01 > Accept: */* > Accept-Encoding: identity > Cookie: webvpnlogin=1 > X-Transcend-Version: 1 > Content-Type: application/x-www-form-urlencoded > Content-Length: 89 > > group%5flist=SecureGroupC&username=username%40example%2Eorg&password=PaSsWoRd Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=<**redacted**> Set-Cookie: webvpnx= Set-Cookie: webvpnaac=1; path=/; secure X-Transcend-Version: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <auth id="success"> < <title>SSL VPN Service</title> < <message>Success</message> < <success/> < </auth> < TCP_INFO rcv mss 1370, snd mss 1370, adv mss 1460, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK
