Hi ! I'm adding more information about my previous email. (the --no-xmlpost need). Here are the output using --no-xmlpost (works) and without using it (fails): # openconnect --no-xmlpost --cafile=ca-bundle.pem --csd-wrapper=ohsd.py --certificate=user.pem --sslkey=user.key https://sasvpn01.pok.ibm.com GET https://sasvpn01.pok.ibm.com/ Connected to 129.33.252.51:443 Using client certificate 'Sergio Henrique Moraes Durand' SSL negotiation with sasvpn01.pok.ibm.com Connected to HTTPS on sasvpn01.pok.ibm.com Got HTTP response: HTTP/1.0 302 Temporary moved GET https://sasvpn01.pok.ibm.com/+webvpn+/index.html SSL negotiation with sasvpn01.pok.ibm.com Connected to HTTPS on sasvpn01.pok.ibm.com GET https://sasvpn01.pok.ibm.com/CACHE/sdesktop/install/binaries/sfinst SSL negotiation with sasvpn01.pok.ibm.com Connected to HTTPS on sasvpn01.pok.ibm.com GET https://sasvpn01.pok.ibm.com/+CSCOE+/sdesktop/wait.html Refreshing +CSCOE+/sdesktop/wait.html after 1 second... GET https://sasvpn01.pok.ibm.com/+CSCOE+/sdesktop/wait.html SSL negotiation with sasvpn01.pok.ibm.com Open Honor System Desktop: gateway ACCEPTED our response Connected to HTTPS on sasvpn01.pok.ibm.com Got HTTP response: HTTP/1.1 302 Moved Temporarily GET https://sasvpn01.pok.ibm.com/+webvpn+/index.html SSL negotiation with sasvpn01.pok.ibm.com Connected to HTTPS on sasvpn01.pok.ibm.com Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connected tun0 as 9.80.201.86, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1). # openconnect --cafile=ca-bundle.pem --csd-wrapper=ohsd.py --certificate=user.pem --sslkey=user.key https://sasvpn01.pok.ibm.com POST https://sasvpn01.pok.ibm.com/ Connected to 129.33.252.51:443 Using client certificate 'Sergio Henrique Moraes Durand' SSL negotiation with sasvpn01.pok.ibm.com Connected to HTTPS on sasvpn01.pok.ibm.com POST https://sasvpn01.pok.ibm.com/ SSL negotiation with sasvpn01.pok.ibm.com Connected to HTTPS on sasvpn01.pok.ibm.com XML POST enabled GET https://sasvpn01.pok.ibm.com/+CSCOE+/sdesktop/wait.html Refreshing +CSCOE+/sdesktop/wait.html after 1 second... GET https://sasvpn01.pok.ibm.com/+CSCOE+/sdesktop/wait.html Open Honor System Desktop: gateway ACCEPTED our response SSL negotiation with sasvpn01.pok.ibm.com Connected to HTTPS on sasvpn01.pok.ibm.com Got HTTP response: HTTP/1.1 302 Moved Temporarily POST https://sasvpn01.pok.ibm.com/ SSL negotiation with sasvpn01.pok.ibm.com Connected to HTTPS on sasvpn01.pok.ibm.com Failed to obtain WebVPN cookie Thanks ! Sergio H. M. Durand On Tue, Sep 15, 2015 at 11:57 PM, S?rgio Durand <linux at durand.eti.br> wrote: > Hi ! > > I'm trying to connect to our corporate VPN but it only works using > --no-xmlpost parameter. > My tests with openconnect 7.06 fails if I don't use --no-xmlpost > ("Failed to obtain WebVPN cookie"). > I also tried the latest commit available in GIT, same problem. > > It stop working after openconnect 5.03. > OC 5.03 works fine without --no-xmlpost. > In fact, reading the code I see that it first tries to use xmlpost, > then fails, but automatically it tries again setting vpninfo->xmlpost > to 0, then work. > > In openconnect manual page there is a mention if --no-xmlpost is > needed it is because there is a bug. > So, here we are :) > > Before write this mail I tried to identify what could be going wrong. > I have debugged the cstp_obtain_cookie() function of auth.c file. > > I believe the problem could be there. > More specifically in the Step 2 block. > BTW, there is no Step 3 in the source code. It jumps to Step 4 :) > > Any suggestion what could be my next steps ? > > Thanks ! > Sergio H. M. Durand
