There is an interesting attack published against HTTPS-based protocols described in [0]. In that paper methods are described to get the password length and discover an IPv4 address transferred within HTTPS-encrypted sessions. For that he uses the length of the transferred packets. The attack may be applicable in certain scenarios. For openconnect, (the ocserv and anyconnect client), the password length is hidden since version 5.99 as we make sure that the length of the packet transferring the password is a multiple of 64 (see http.c and X-Pad). Thus it is not vulnerable on this kind of attacks for the password length. For discovering the IPv4 range which a VPN client is connected, that could be possible, but I am not sure whether that warrants further investigation or fix. regards, Nikos [0]. http://lwn.net/SubscriberLink/672278/522256f5d4de3196/ and https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf
