First, my complements to the developers for taking the time to reverse engineer this proprietary protocol and giving us an open alternative. I'm running OpenConnect built from the 7.05 tarball on 32-bit Lubuntu 14.10. Several weeks ago I tried using OpenConnect to connect to a business partner's Juniper VPN server using some test credentials, and all worked fine. Yesterday they supplied the real credentials, along with a certificate (test setup didn't use a cert), and a different VPN server URL, and now I get "Failed to obtain WebVPN cookie." Below is a redacted transcript of the session. I've skimmed through the list archives and didn't see any relevant postings. (I also did a web search on the above error messages and a few of the messages that appear upstream of it in the log.) I see on: http://www.infradead.org/openconnect/juniper.html a section regarding "Host Checker." What would be the displayed error message if that was required? (The link to the repository for the tncc-wrapper.py script seems to be obsolete. I found a copy here: http://git.infradead.org/users/dwmw2/openconnect.git/blob_plain/HEAD:/tncc-wrapper.py It was also unclear whether this approach needs just that script, or also the compiled libraries from the ncsvc-socks-wrapper project. Running OpenConnect with the addition of '--useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=../tncc-wrapper/tncc-wrapper.py' has no apparent impact on the behavior or logged transcript.) (It may also be relevant to note that I'm also seeing a failure when I attempt a traditional login to this VPN via a web browser. When I tried connecting to the partner's test server via Firefox, it successfully authenticated and launched the Java VPN client. Now it is successfully authenticating (including accepting the installed certificate), but not launching the Java app. While debugging this I also tried using the partner's VPN server that they use for employees, rather than business partners, and in that case it launched tncc.jar, but never went beyond that. This might suggest they don't have tncc.jar as a requirement for the VPN connections with partners.) Transcript: $ sudo ./openconnect -v -v --juniper -c /path/cert.pfx --disable-ipv6 https://example.com/dana-na/auth/url_3/welcome.cgi WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. GET https://example.com/dana-na/auth/url_3/welcome.cgi Attempting to connect to server 167.79.177.50:443 Using certificate file /path/cert.pfx Enter PKCS#12 pass phrase: Using client certificate 'cert' SSL negotiation with example.com Connected to HTTPS on example.com Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Date: Thu, 09 Apr 2015 21:01:21 GMT x-frame-options: SAMEORIGIN Connection: close Pragma: no-cache Cache-Control: no-store Expires: -1 HTTP body http 1.0 (-1) SSL socket closed uncleanly frmLogin username:myid password: POST https://example.com/dana-na/auth/url_3/login.cgi SSL negotiation with example.com Connected to HTTPS on example.com Failed to read from SSL socket: Rehandshake was requested by the peer. Error fetching HTTPS response Failed to obtain WebVPN cookie Suggestions? Thanks, -Tom
