[PATCH ocserv 0/4] Clean up ANYCONNECT_CLIENT_COMPAT virtual files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Some background info:

On a Cisco ASA, the contents of the installed AnyConnect web deploy
packages are accessed through https://ASA/CACHE/stc/{1,2,3,...}.  So if
the gateway has 4 web deploy packages installed, it looks like this:

ciscoasa# show run webvpn
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3
 anyconnect image disk0:/anyconnect-linux-64-3.1.04066-k9.pkg 4
 anyconnect enable
 tunnel-group-list enable

These packages are used to feed the Java installer contraption if the
user navigates to https://ASA/ in a web browser.  The ASA's web server
uses the regex line from headinfo.txt in *.pkg to try to determine which
package matches the client's OS, based on the User-Agent header.

The URL => ASA pathname mappings for the ASA shown above are:

https://ASA/CACHE/stc/1/Windows => cache:/stc/1/Windows
https://ASA/CACHE/stc/2/Linux => cache:/stc/2/Linux
https://ASA/CACHE/stc/3/Darwin_i386 => cache:/stc/3/Darwin_i386
https://ASA/CACHE/stc/4/Linux_64 => cache:/stc/4/Linux_64

Each *.pkg file is just a zip archive.  The 0-byte Windows/Linux_64/...
files are at the top level of the archive, each of which gets unpacked
into cache:/stc/<ID>/ inside the ASA.  After authenticating and receiving
a webvpn cookie, the AnyConnect client application probes for the
presence of these files to try to find the matching package for its OS:

GET /CACHE/stc/1/index.html
(if it exists, the gateway has package #1 installed, otherwise give up)
GET /CACHE/stc/1/Linux_64
(if it doesn't exist, assume #1 is for another OS and check package #2)
GET /CACHE/stc/2/index.html
(exists, good)
GET /CACHE/stc/2/Linux_64
(assuming this succeeds, then...)
GET /CACHE/stc/2/binaries/update.txt
(compare version numbers to see if an update is needed)

The https://ASA/CACHE/stc/* links are only accessible after
authenticating, either through a browser or through a VPN client.  In
XML POST mode the gateway will explicitly specify the base:

    <base-package-uri>/CACHE/stc/2</base-package-uri>

If this node is unavailable, as is the case on ocserv, part of the path
is extracted from the webvpnc cookie (bu:/CACHE/stc) and the client tries
each number sequentially until it finds the correct package or gets a
404 on index.html.

ocserv omits the /CACHE/stc prefix; so far this seems harmless.


Kevin Cernekee (4):
  README: Update dependencies
  Fix auto-update regression on AnyConnect clients
  Add support for Mac AnyConnect client
  Remove unnecessary AnyConnect /2/* files

 README              |  6 +++---
 src/worker-extras.c |  2 +-
 src/worker-vpn.c    | 10 ++--------
 3 files changed, 6 insertions(+), 12 deletions(-)

-- 
1.8.2.1




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux